man iptables
QUOTE: REJECT
This is used to send back an error packet in response to the matched
packet: otherwise it is equivalent to DROP so it is a terminating TAR-
GET, ending rule traversal. This target is only valid in the INPUT,
FORWARD and OUTPUT chains, and user-defined chains which are only
called from those chains. The following option controls the nature of
the error packet returned:
--reject-with type
The type given can be
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
which return the appropriate ICMP error message (port-unreach-
able is the default). The option tcp-reset can be used on rules
which only match the TCP protocol: this causes a TCP RST packet
to be sent back. This is mainly useful for blocking ident
(113/tcp) probes which frequently occur when sending mail to
broken mail hosts (which won't accept your mail otherwise).
(*) Using icmp-admin-prohibited with kernels that do not support it
will result in a plain DROP instead of REJECT
是什么都在里面写了,要学会如何自学
另外,人家是“--reject-with”,你的好像有的是“--reject -with”,多了一个空格,难怪会报错
