[CentOS] Blocking an IP address both as source and destination

Mon Apr 25 17:14:48 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

Stephen Harris wrote:
> On Mon, Apr 25, 2011 at 06:03:29PM +0200, Alexander Farber wrote:
>> Hello,
>>
>> how do you block incoming AND outgoing traffic to a site?
>>
>> I have 2 drop lines for a site in my /etc/sysconfig/iptables:
>>
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT ACCEPT [294:35064]
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -s xx.xx.xx.0/24 -j DROP
>> -A INPUT -d xx.xx.xx.0/24 -j DROP
>> -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
>> 80,8080 -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags
>> FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT
>> COMMIT
>>
>> but for some reason still can "ping xx.xx.xx.1" and
>> "ssh xx.xx.xx.1" prints
>> "ssh: connect to host xx.xx.xx.1 port 22: Connection refused"
>> immediately, which probably means my packets aren't dropped at all.
> 
> To block outgoing traffic (traffic originating on this host destined
> for another machone) you need to add rules to the OUTPUT filter.
> 

Meaning:
-A INPUT -s xx.xx.xx.0/24 -j DROP
-A OUTPUT -d xx.xx.xx.0/24 -j DROP

Ljubomir