G'day. I have been trying to get an answer for this.

I am form the Microsoft and OpenBSD world and have recently begun
using RH7.3 for my firewall.

I need to block an Internet Address.

In OpenBSD I would use -> 'block out quick on ethx ...'

I have theses two rules in my iptables file:

$IPT -t filter -A INPUT  -p tcp -s 0/0 -d 64.246.26.185  --dport 80 -m
limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s 64.246.26.185 -d 0/0  --dport 80 -m
limit --limit 2/minute -j $STOP

$STOP and $IPT are macro substitutions that works for everything else,
so I know that's not the problem.

What am I missing?

tx in advance.

RG

[ Post a follow-up to this message ]

Richard Gutery wrote:

> I have theses two rules in my iptables file:
>
> $IPT -t filter -A INPUT  -p tcp -s 0/0 -d 64.246.26.185  --dport 80 -m
> limit --limit 2/minute -j $STOP
> $IPT -t filter -A OUTPUT -p tcp -s 64.246.26.185 -d 0/0  --dport 80 -m
> limit --limit 2/minute -j $STOP
>
> $STOP and $IPT are macro substitutions that works for everything else,
> so I know that's not the problem.
>

I'm not sure why you're using the limit match, but the following should
work:

$IPT -A INPUT -p tcp -d 64.246.26.185 --dport 80 -j $STOP
$IPT -A INPUT -p tcp -s 64.246.26.185 --sport 80 -j $STOP

.. assuming the $STOP variable is "REJECT" or "DENY" or a custom target.

These two rules stop TCP packets destined for, or origination from, the
remote webserver. If you wanted to block *any* traffic to and from the
host, just omit the -p tcp and --dport 80/--sport 80 arguements. Oh, and
you can omit -t filter, since the filter table is assumed by default.

HTH,

pete

[ Post a follow-up to this message ]