"deny" uses the DROP iptables target, which silently discards incoming packets. "reject" uses the REJECT iptables target, which sends back an error packet to the sender of the rejected packet. deny is usually a bit safer