From mboxrd@z Thu Jan 1 00:00:00 1970 From: Barry Fawthrop Subject: filtering ruleset help sought Date: Mon, 15 Aug 2005 16:27:25 -0400 Message-ID: <4300FAAD.4060305@ttienterprises.org> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Hi I was given a iptables ruleset (that I think was generated by firestarter) I don't have GUI nor do I want to so I have no means to test it. It runs on a gateway machine ETH0 = Wan and ETH1 = LAN NICs I'm looking for a simple ruleset that will deny all outgoing traffic accept to a list of IP addresses found in a file and only on port 80 for HTTP access only. I have this: $IPT -t filter -A INPUT -s $INNET -d 0/0 -j DROP $IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j DROP $IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j DROP while read s1 s2 do $IPT -t filter -A INPUT -s $INNET -d $s1 --dport 80 -j ACCEPT $IPT -t filter -A OUTPUT -s $INNET -d $s1 --dport 80 -j ACCEPT $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT done < /allowed-hosts 1) doesn't work complains about --dport 2) I can still ping other ip addresses not found in the allowed-hosts file? Any help, most welcome Thank You Barry -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005