Re: iptables: blocking network access for certain UIDs gives error.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



To save your current values so, IPTABLES start with that next time use


/sbin/service iptables save
instead of
iptables --save
 (i dont know why the first one works and the second no. )
regards,

Guillermo.


On 7/17/06, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
On Mon, 2006-07-17 at 08:36 +0200, kmartin wrote:
> i need to block internet access for a couple UIDs. found and a bit of
> an older thread on this site
> [url="" href="http://fcp.homelinux.org/modules/newbb/viewtopic.php?topic_id=23058]here[/url">http://fcp.homelinux.org/modules/newbb/viewtopic.php?topic_id=23058]here[/url]. this is basically what i want to do too but i'm using FC4 and the original post refers to FC3 - not sure if that has anything to do with it. so i'm executing:
>
> [b] iptables -D OUTPUT -m owner --uid-owner 502 --jump DROP[/b]
> but i keep getting: [b]"Bad rule (does a matching rule exist in that
> chain?)" [/b]

You can only delete a rule that already exists.  That's what the -D
option does.  Are you hoping to add that rule, and just half copied some
other example?

For newcomers, I'd suggest using the un-abbreviated options, until
you're familiar with iptables.  It's more explantory.

e.g. iptables --append OUTPUT --match owner --uid-owner 502  --jump DROP

That appends a rule to the output filtering (outgoing connection), the
rule will match something using the owner module, and that owner module
is concerned with uid 502, the target of the rule is to DROP the
packets.

As you're making an outgoing rule, where the foolish notion of
"stealthing" is a complete waste of time, I wouldn't DROP the packet
(which will keep the other end waiting for a timeout), I'd REJECT the
packet.  It still stops them from connecting, but instantly telling them
it isn't going to work.  Hint, use REJECT rather than DROP, to do this.

> here is the output of [font=Verdana]iptables --list[/font]:

It'd be a lot better to read without the [pseudo] HTML.

--
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux