Antony Stone wrote:
Thanks for the explanation. So I'm testing this out now, and I inserted:iptables -I FORWARD -s a.b.c.d -d w.x.y.z -p tcp --dport 80 -j REJECT
"-I" will insert the rule at the top of the FORWARD chain, and therefore guarantees that these packet will be REJECTed, no matter other rules follow in your ruleset.
iptables -I FORWARD -s 66.218.75.184 -d 192.168.1.253 -p tcp --dport 80 -j REJECT
66.218.75.184 == mail.yahoo.com (or login.yahoo.akadns.net, or l1.login.vip.scd.yahoo.com according to iptables -L), however that machine (.253) can still reach that address just fine. What am I missing?
I don't see a round-robin IP setup for mail.yahoo.com (much like what you'd see if you lookup www.yahoo.com) so I'm not quite sure why it's not blocking it.
-- W | I haven't lost my mind; it's backed up on tape somewhere. +-------------------------------------------------------------------- Ashley M. Kirchner <mailto:ashley@xxxxxxxxxx> . 303.442.6410 x130 IT Director / SysAdmin / WebSmith . 800.441.3873 x130 Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave. #6 http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
