I set up iptables firewall according to wiki here: https://wiki.archlinux.org/index.php/Si … PEN_chains
However, I am not sure if I restoring the final rule like that
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable # iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
is necessary also after opening a new port, like that:
# iptables -A TCP -p tcp --dport 80 -j ACCEPT iptables -A UDP -p udp --dport 53 -j ACCEPT
Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM
Why not just drop it instead of rejecting it ?
Never argue with stupid people,They will drag you down to their level and then beat you with experience.--Mark Twain
You only need to restore the final rule if you are using one of the port scanning tricks from the wiki. If you follow the directions in the wiki for the port scanning tricks (they are optional) the final rule will no longer be final, the two line section of code you quoted just puts it back to its proper position as the last rule in your INPUT chain. It really has nothing to do with opening ports in your TCP and UDP chains.
--reject-with icmp-proto-unreachable is supposed to be the proper response for this rule. A lot of people have opinions that dropping is better, and they are not hard to find on the internet. I use the "proper" response in my firewalls, I'll let you decide which you want in yours.