This might be a stupid question...
Olaf Zaplinski
o.zaplinski@broadnet-mediascape.de
Fri, 15 Mar 2002 15:52:14 +0100
Ted Fines wrote:
> The OUTPUT chain only deals with packets originating from the firewall
> itself. Your rule is fine, but you want to add it to the FORWARD chain
> instead, which deals with packets going to/from your network to/from the
> Internet:
> iptables -A FORWARD -o ppp0 -d 63.211.210.20 -j DROP
Wouldn't this be better, assuming that it's only http traffic to block?
iptables -A FORWARD -p tcp -o ppp0 -d 63.211.210.20 --dport 80 -j REJECT
--reject-with tcp-reset
With DROP, the clients tries several times to connect and then times out.
With reject, he feels as if 63.211.210.20's http server was down and gives
up immediately.
Olaf