That’s a correct behavior of iptables. If you want another error behavior use: “ …. –j REJECT –reject-with icmp-host-unreachable” instead.
This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so
it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT
chains, and user-defined chains which are only called from those chains. The following option controls the nature
of the error packet returned:
The type given can be
which return the appropriate ICMP error message (port-unreachable is the default). The option tcp-reset
can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This
is mainly useful for blocking ident (113/tcp) probes which frequently occur when sending mail to broken
mail hosts (which won't accept your mail otherwise).
(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT