Mailinglist Archive: opensuse (4570 mails)

[Jon Clausen <jon@xxxxxxx>]

On Fri, 04 Nov, 2005 at 11:03:09 -0800, Ben Rosenberg wrote:

> orson:~ # iptables -A OUTPUT -p TCP -i eth2 -d !
> 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j DROP
> iptables v1.2.8: Can't use -i with OUTPUT
> 
> I wandered through the man page and I thought that the " -i " might need to
> be " -o " instead but that didn't work either.

I think you might want to --insert rather than --append your rule to the
OUTPUT chain.

jon@a13:~> telnet 10.0.0.1
Trying 10.0.0.1...
telnet: connect to address 10.0.0.1: Connection refused

If I;
`iptables -A OUTPUT -p tcp -d 10.0.0.0/8 --dport 23 -j DROP`

I still get;
jon@a13:~> telnet 10.0.0.1
Trying 10.0.0.1...
telnet: connect to address 10.0.0.1: Connection refused

But if I;

`iptables -I OUTPUT -p tcp -d 10.0.0.0/8 --dport 23 -j DROP`

I get;
jon@a13:~> telnet 10.0.0.1
Trying 10.0.0.1...


Try this;

`iptables -I OUTPUT -p tcp -o eth2 -d ! 10.0.0.0/8 --dport 23 -j DROP`

HTH
/Jon
-- 
YMMV