iptables: blocking network access for certain UIDs gives error.
Guillermo Garron
guillermo.fedora at gmail.com
Mon Jul 17 13:32:37 UTC 2006
To save your current values so, IPTABLES start with that next time use
/sbin/service iptables save
instead of
iptables --save
(i dont know why the first one works and the second no. )
regards,
Guillermo.
On 7/17/06, Tim <ignored_mailbox at yahoo.com.au> wrote:
>
> On Mon, 2006-07-17 at 08:36 +0200, kmartin wrote:
> > i need to block internet access for a couple UIDs. found and a bit of
> > an older thread on this site
> > [url=
> http://fcp.homelinux.org/modules/newbb/viewtopic.php?topic_id=23058]here[/url].
> this is basically what i want to do too but i'm using FC4 and the original
> post refers to FC3 - not sure if that has anything to do with it. so i'm
> executing:
> >
> > [b] iptables -D OUTPUT -m owner --uid-owner 502 --jump DROP[/b]
> > but i keep getting: [b]"Bad rule (does a matching rule exist in that
> > chain?)" [/b]
>
> You can only delete a rule that already exists. That's what the -D
> option does. Are you hoping to add that rule, and just half copied some
> other example?
>
> For newcomers, I'd suggest using the un-abbreviated options, until
> you're familiar with iptables. It's more explantory.
>
> e.g. iptables --append OUTPUT --match owner --uid-owner 502 --jump DROP
>
> That appends a rule to the output filtering (outgoing connection), the
> rule will match something using the owner module, and that owner module
> is concerned with uid 502, the target of the rule is to DROP the
> packets.
>
> As you're making an outgoing rule, where the foolish notion of
> "stealthing" is a complete waste of time, I wouldn't DROP the packet
> (which will keep the other end waiting for a timeout), I'd REJECT the
> packet. It still stops them from connecting, but instantly telling them
> it isn't going to work. Hint, use REJECT rather than DROP, to do this.
>
> > here is the output of [font=Verdana]iptables --list[/font]:
>
> It'd be a lot better to read without the [pseudo] HTML.
>
> --
> (Currently running FC4, occasionally trying FC5.)
>
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060717/4d03212f/attachment-0001.htm>
More information about the fedora-list
mailing list