From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jerry A. Applebaum" Subject: Block outbound host to specific port using Masq./NAT? Date: Mon, 3 Jan 2005 16:45:13 -0500 Message-ID: <6e5e6e1050103134562ae614d@mail.gmail.com> Reply-To: jaa@squarepants.net Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hello - this is probably a dumb question....I'm using iptables for my home network (DSL) and I have masquerading, some port forwarding, etc., etc., and everything works great...EXCEPT....I have a situation where I occaisionally want to block outbound traffic from a certain host inside to a certain destination IP and/or port. For example, I'd like to block one host from within my network from using Instant Messenger but still allow web surfing. I've been able to dynamically block ALL outbound access to the internet but I'm unable to restrict access to certain destination ports. So this works: iptables -A INPUT -s 10.1.1.10 -j DROP iptables -A OUTPUT -d 10.1.1.10 -j DROP iptables -A FORWARD -d 10.1.1.10 -j DROP And I thought I could do something like this: iptables -A OUTPUT -s 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP iptables -A FORWARD -d 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP ....but it has no effect. I've tried different combinations of "-d and -s" and "--dport and --sport" just to see if I was doing something backwards....no dice. I was wondering if I needed to set up some kind of pre or post routing because of the masquerading? Any help would be appreciated. Thanks! -- Jerry A.