On Monday 03 January 2005 21:45, Jerry A. Applebaum wrote: > And I thought I could do something like this: > iptables -A OUTPUT -s 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP > iptables -A FORWARD -d 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP > ....but it has no effect. You almost got it :) Try iptables -A FORWARD -s 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP because the OUTPUT chain only refers to connections originating from the firewall machine, although I can see how this is confusing since it's the firewall machine doing the MASQ :) Also, I would not be at all surprised if ICQ/AIM also tries to contact login.icq.com on port 80 if 5190 fails, in the same way that MSN Messenger does Cheers, Gavin.
