try allowing the port and put a block all traffic. iptables -A INPUT -p tcp -d k.l.m.n --dport 80 -j ACCEPT iptables -A INPUT -p tcp -d w.x.y.z --dport 80 -j ACCEPT iptables -A INPUT -j DROP hth, Sir June ----- Original Message ---- From: "m.roth@xxxxxxxxx" <m.roth@xxxxxxxxx> To: CentOS <centos@xxxxxxxxxx>; redhat <redhat-list@xxxxxxxxxx> Sent: Mon, March 29, 2010 3:48:01 PM Subject: iptables rules I've got a server with several ip's on eth0. I want to block all traffic *except* to port 80 on them, but not on any other IPs, so that eth0 is www.xxx.yyy.zzz eth0:1 is www.xxx.yyy.ggg eth0:2 is www.xxx.yyy.hhh I've tried -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.ggg --dport ! 80 -j DROP -A RH-Firewall-1-INPUT -p tcp -d www.xxx.yyy.hhh --dport ! 80 -j DROP and restarted (and several variants of this). iptables-save displays *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [769:48207] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -d www.xxx.yyy.ggg -p tcp -m tcp ! --dport 80 -j DROP -A RH-Firewall-1-INPUT -d www.xxx.yyy.hhh -p tcp -m tcp ! --dport 80 -j DROP -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT <...> and I notice it puts the ! in front of the --dport, but has no complaints. However, I can telnet to www.xxx.yyy.hhh 443. What's wrong with the rules? mark -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list