> Now im trying to block a site www.foo.com for users excluding user > "askar" with something like.... > > #iptables -A OUTPUT -p tcp --dport 80 -d www.foo.com -j DROP > > this works for all users however when I tries to exclude user > "askar" from this blocking with... > > #iptables -A OUTPUT -p tcp --dport 80 -d www.kmmod.com -m owner > --uid-owner askar -j ACCEPT > > site is still block for user "askar", i also tried with > changing the other of the rules no working :), Howto exclude "askar" ? > Well, two things. First, and I assume you know this, in your first example, you list www.foo.com (216.234.246.149, and 216.234.246.150), and in the second example you use www.kmmod.com (66.226.86.161). Obviously, if you want the second rule to contradict the first one, you have to use the same destination address, but with the setup you give, it still won't work. When you use -A, you Append to the chain, meaning you place the new rule at the bottom. The first rule that terminates a chain is the only one that matters, and a -j DROP is a terminating rule, so the kernel drops the packet, and forgets about it before it thinks about reading the second rule. You have two choices, either enter a specific -j ACCEPT rule (like the -m owner match) before the less specific -j DROP rule, or enter the -j DROP rule with a -I to insert it at the top of the chain. Hope this helps
