REJECT with tcp reset does not work

We're using RedHat Linux 7.3 with all recent updates and the standard
kernel. I have structured my iptables rules so that they look like
this, for example:

....
iptables -A INPUT -d 0/0 -p tcp --dport 0:1023 -j local
iptables -A INPUT -d 0/0 -p udp --dport 0:1023 -j local
....
# A bunch of IP addresses or subnets
iptables -A local -s xxx.xxx.xxx.xxx/32 -j ACCEPT
iptables -A local -s xxx.xxx.xxx.xxx/32 -j ACCEPT
iptables -A local -m limit -j LOG --log-prefix "netfilter: "
iptables -A local -p tcp -j REJECT --reject-with tcp-reset
iptables -A local -p udp -j REJECT --reject-with icmp-port-unreachable

This works. However, when tcp connections are rejected, the machine
does not send a TCP reset packet back to senders even though I have
explicitly specified this action. According to tcpdump output, nothing
gets sent back when a packet is denied. So, essentially, -j REJECT
seems to be acting like -j DROP. In fact, I don't have a rule that
says -j DROP anywhere in this script. Does anyone know why this is
happening?


-akop

 

I have also observed the same behavior on an RH 7.3 firewall running the
latest RH errata-kernel (2.4.20-20.7). Rejecting with icmp-port
unreachable works, but not with tcp-reset (the RST-packet is never
sent). I haven't come across a solution to this, just thought I'd let
you know you are not alone.