On Fri, May 30, 2003 at 09:20:19AM +0200, Filippi Marco wrote: [snip] > > > how can they be dropped? > > > > not sure, but I think that it'll work when you specify the outside > > interface... For example: if you want to drop the http requests from > > w.x.y.z then your rule should look like: > > > > iptables -A FORWARD -i <your external interface> -s w.x.y.z -p tcp --dport 80 -j DROP > > > > Hemmmm ... could it be that the "pass to web server" rule come before the > "drop that address" one? > > As far as I know rules are considered in order, the first that match is > applied no matter if there are some more rules that could match. You are perfectly right, the rules are processed in order, but because of the -s w.x.y.z option, this rule will only apply to the traffic coming from host w.x.y.z on your external interface and with destination port 80. So other hosts than w.x.y.z should not have any trouble to connect to the webserver; even if this rule comes before the "pass to web server"-rule... Kristof -- Digital fingerprint: F56F F987 0E0C AFF8 0B6D 7CA1 F152 E07D 72AF 337B
Attachment:
pgplP2rjzEyYG.pgp
Description: PGP signature