> -----Original Message----- > From: Vimal [mailto:j.vimal@xxxxxxxxx] > Sent: Monday, September 15, 2008 8:12 PM > To: Xu, Qiang (FXSGSC) > Cc: netfilter@xxxxxxxxxxxxxxx > Subject: Re: iptables not prevent access > > In fact, try this one too: > > * From the client, access the webpage > * From the server, check the access logs, and see which IP > had accessed the particular webpage you did in the previous step. This is really a good suggestion. > But, what continues to baffle me is the fact that no requests > were coming from your client's ethernet interface! It turns out to be the web proxy that does evil behind the scene. Yesterday I thought of it, and modified the field "Do not use proxy server for addresses beginning with" for "8.119". On that machine, I appended ";13.*" into the field, the semicolon in the beginning serves as a separator to what already existed there. But some addresses already existed in the field made it ineffective. So it always didn't work, meaning the traffic to the server "8.106" always went through the proxy server. Today, a colleague tried to block the telnet port 23, and it was blocked successfully. So the problem was narrowed down to http connection. And he tried to play with various scenarios with or without proxy in use. And he came to a conclusion that something is not quite right with the proxy. After this field is tidied up, blocking works. Thanks to Vimal, and others who have given suggestions. Xu Qiang -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html