I am trying to reject access to a subnet with the ICMP reason icmp-net-prohibited. In iptables, I would use this command:
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j REJECT --reject-with icmp-net-prohibited
In my network, I would like to be more specific why accessing the subnet does not work. I am aware that servers exposed to the internet should not give any information and use DROP instead.
In fw3, I tried to use the extra-Parameter, which is described as
Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therfore direction-specific options like –dport should not be used here - in this case the extra_src and extra_dest options should be used instead.
With fw3 i tried this:
config rule option enabled '1' option src 'lan' option dest 'wan' option name 'reject-test' option src_ip '192.168.0.0/24' option dest_ip '192.168.1.0/24' option target 'REJECT' option extra '--reject-with icmp-net-prohibited' option proto 'all'
When reloading the firewall config, this error is printed:
Warning: parse_option(): unknown option '--reject-with' Warning: fw3_ipt_rule_append(): Bad argument 'icmp-net-prohibited' Warning: parse_option(): unknown option '--reject-with' Warning: fw3_ipt_rule_append(): Bad argument 'icmp-net-prohibited'
Obviously, the extra, extra_src and extra_dest parameters are not suitable for adding parameters to the end of an iptables command, although the first sentence in the documentation "Extra arguments passed directly to iptables." sounded promising.
Is there another elegant way of rejecting access to a subnet with an ICMP reason or do I end up in writing a shell script which inserts the iptables rule in the correct position?
Thanks for your answers!