iptables: blocking network access for certain UIDs gives error.

Guillermo Garron guillermo.fedora at gmail.com
Mon Jul 17 13:33:21 UTC 2006


Sorry,

you can check this out
http://web.mit.edu/rhel-doc/3/rhel-sg-es-3/s1-fireall-ipt-act.html
regards,

Guillermo.

On 7/17/06, Guillermo Garron <guillermo.fedora at gmail.com> wrote:
>
> To save your current values so, IPTABLES start with that next time use
>
>
> /sbin/service iptables save
> instead of
> iptables --save
>  (i dont know why the first one works and the second no. )
> regards,
>
> Guillermo.
>
>
>
> On 7/17/06, Tim <ignored_mailbox at yahoo.com.au> wrote:
> >
> > On Mon, 2006-07-17 at 08:36 +0200, kmartin wrote:
> > > i need to block internet access for a couple UIDs. found and a bit of
> > > an older thread on this site
> > > [url=
> > http://fcp.homelinux.org/modules/newbb/viewtopic.php?topic_id=23058]here[/url<http://fcp.homelinux.org/modules/newbb/viewtopic.php?topic_id=23058%5Dhere%5B/url>].
> > this is basically what i want to do too but i'm using FC4 and the original
> > post refers to FC3 - not sure if that has anything to do with it. so i'm
> > executing:
> > >
> > > [b] iptables -D OUTPUT -m owner --uid-owner 502 --jump DROP[/b]
> > > but i keep getting: [b]"Bad rule (does a matching rule exist in that
> > > chain?)" [/b]
> >
> > You can only delete a rule that already exists.  That's what the -D
> > option does.  Are you hoping to add that rule, and just half copied some
> > other example?
> >
> > For newcomers, I'd suggest using the un-abbreviated options, until
> > you're familiar with iptables.  It's more explantory.
> >
> > e.g. iptables --append OUTPUT --match owner --uid-owner 502  --jump DROP
> >
> > That appends a rule to the output filtering (outgoing connection), the
> > rule will match something using the owner module, and that owner module
> > is concerned with uid 502, the target of the rule is to DROP the
> > packets.
> >
> > As you're making an outgoing rule, where the foolish notion of
> > "stealthing" is a complete waste of time, I wouldn't DROP the packet
> > (which will keep the other end waiting for a timeout), I'd REJECT the
> > packet.  It still stops them from connecting, but instantly telling them
> > it isn't going to work.  Hint, use REJECT rather than DROP, to do this.
> >
> > > here is the output of [font=Verdana]iptables --list[/font]:
> >
> > It'd be a lot better to read without the [pseudo] HTML.
> >
> > --
> > (Currently running FC4, occasionally trying FC5.)
> >
> > Don't send private replies to my address, the mailbox is ignored.
> > I read messages from the public lists.
> >
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060717/ded5c12b/attachment-0001.htm>


More information about the fedora-list mailing list