Stephen Harris wrote: > On Mon, Apr 25, 2011 at 06:03:29PM +0200, Alexander Farber wrote: >> Hello, >> >> how do you block incoming AND outgoing traffic to a site? >> >> I have 2 drop lines for a site in my /etc/sysconfig/iptables: >> >> *filter >> :INPUT DROP [0:0] >> :FORWARD DROP [0:0] >> :OUTPUT ACCEPT [294:35064] >> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -s xx.xx.xx.0/24 -j DROP >> -A INPUT -d xx.xx.xx.0/24 -j DROP >> -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT >> -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports >> 80,8080 -j ACCEPT >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags >> FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT >> COMMIT >> >> but for some reason still can "ping xx.xx.xx.1" and >> "ssh xx.xx.xx.1" prints >> "ssh: connect to host xx.xx.xx.1 port 22: Connection refused" >> immediately, which probably means my packets aren't dropped at all. > > To block outgoing traffic (traffic originating on this host destined > for another machone) you need to add rules to the OUTPUT filter. > Meaning: -A INPUT -s xx.xx.xx.0/24 -j DROP -A OUTPUT -d xx.xx.xx.0/24 -j DROP Ljubomir