> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Allan Spagnol Comar > Sent: Thursday, October 26, 2006 3:36 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Block smtp traffic > > Hi list, this is my first post. > > I had a internet gateway that I want to block all traffic send to smtp > ports ( 25 tcp ). I had done this: > iptables -A FORWARD -i eth1 -p tcp --dport 25 -j DROP > > and I cannot make this rule work, my user still can connect to port > 25.... I try to change from drop to reject and still the same problem, > where can I look for to make this work ? Think of iptables as being a huge if-then check per rule until a DROP/RETURN/ACCEPT/QUEUE is encountered - the man page does an excellent job of describing this in paragraph one of 'TARGETS' if rule #1 applies _and_ DROP/RETURN/ACCEPT/QUEUE, stop if rule #2 applies _and_ DROP/RETURN/ACCEPT/QUEUE, stop ... if rule #N applies or not and we've run out of things to do, apply the POLICY as our 'DEFAULT' This means that given you're A(ppending) your rule, you probably have another rule preceeding the rule above which is ACCEPT'ing the packet somehow. Move the above rule up the chain. You might even put it at the very beginning as a test: iptables -I FORWARD .... I hope that helps. --- Pablo Sanchez - Blueoak Database Engineering, Inc Ph: 819.459.1926 Toll free: 888.459.1926 Cell: 819.918.9731 Pgr: pablo_p@xxxxxxxxxxxxx Fax: 603.720.7723 (US)
