On Mon, Apr 25, 2011 at 06:03:29PM +0200, Alexander Farber wrote: > Hello, > > how do you block incoming AND outgoing traffic to a site? > > I have 2 drop lines for a site in my /etc/sysconfig/iptables: > > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [294:35064] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -s xx.xx.xx.0/24 -j DROP > -A INPUT -d xx.xx.xx.0/24 -j DROP > -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports > 80,8080 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags > FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT > COMMIT > > but for some reason still can "ping xx.xx.xx.1" and > "ssh xx.xx.xx.1" prints > "ssh: connect to host xx.xx.xx.1 port 22: Connection refused" > immediately, which probably means my packets aren't dropped at all. To block outgoing traffic (traffic originating on this host destined for another machone) you need to add rules to the OUTPUT filter. -- rgds Stephen