On Mon, 2006-07-17 at 08:36 +0200, kmartin wrote: > i need to block internet access for a couple UIDs. found and a bit of > an older thread on this site > [url=http://fcp.homelinux.org/modules/newbb/viewtopic.php?topic_id=23058]here[/url]. this is basically what i want to do too but i'm using FC4 and the original post refers to FC3 - not sure if that has anything to do with it. so i'm executing: > > [b] iptables -D OUTPUT -m owner --uid-owner 502 --jump DROP[/b] > but i keep getting: [b]"Bad rule (does a matching rule exist in that > chain?)" [/b] You can only delete a rule that already exists. That's what the -D option does. Are you hoping to add that rule, and just half copied some other example? For newcomers, I'd suggest using the un-abbreviated options, until you're familiar with iptables. It's more explantory. e.g. iptables --append OUTPUT --match owner --uid-owner 502 --jump DROP That appends a rule to the output filtering (outgoing connection), the rule will match something using the owner module, and that owner module is concerned with uid 502, the target of the rule is to DROP the packets. As you're making an outgoing rule, where the foolish notion of "stealthing" is a complete waste of time, I wouldn't DROP the packet (which will keep the other end waiting for a timeout), I'd REJECT the packet. It still stops them from connecting, but instantly telling them it isn't going to work. Hint, use REJECT rather than DROP, to do this. > here is the output of [font=Verdana]iptables --list[/font]: It'd be a lot better to read without the [pseudo] HTML. -- (Currently running FC4, occasionally trying FC5.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
