Question 5) Cert-XK0-002 – CompCert: Linux+
Objective : Security
SubObjective : Given security requirements, implement basic IP tables/chains
Single Answer Multiple Choice
Which target option in the ‘iptables’ command will drop a data packet and send back an error message after receiving a matching data packet from the network?
- DROP
- DENY
- REJECT
- RETURN
Answer:
C. REJECT
Tutorial:
The REJECT target type for the ‘iptables’ command will drop the data packet and send back an error message after receiving a matching data packet from the network. The message is not sent if error messages have already been sent to the system in the past. The REJECT target type has the ‘–reject-with type‘ parameter, where the type variable is used to specify the type of message that should be sent back to the user.
The DROP target type drops the data packet. The DROP target, however, cannot send back an error message to the user.
There is no target named DENY in the ‘iptables’ command.
The RETURN target type cannot drop a data packet. While traversing a rules chain, if a RETURN target type is encountered, the control will be restored to the chain that invoked the rules chain.
The ‘iptables’ command is used to create and manage the system tables that contain rules for filtering IP packets. There are three independent tables supported by the Linux kernel: filter, nat, and mangle. Each table contains a set of chains that includes a sequence of rules for the packets traveling on the network. The filter table is the default table that contains the INPUT, OUTPUT, and the FORWARD chains. The nat table contains the PREROUTING, OUTPUT, and POSTROUTING chains. The mangle table keeps the PREROUTING, OUTPUT, INPUT, FORWARD, and POSTROUTING chains.
Reference:
Linux Command Directory, iptables, http://www.linuxdevcenter.com/linux/cmd/cmd.csp?path=i/iptables
These questions are derived from the Transcender Practice Test for the CompTIA Linux+ certification exam.