On 11/4/05, Ian Marlier <ian.marlier@studentuniverse.com> wrote:
I'm trying to write some iptables rules so that I can let someone telnet to machines on a 10.0.0.0 <http://10.0.0.0> network but not allow them to telnet anywhere else.. effectively blocking outbound telnet to ANYTHING except the machines on the 10.0.0.0 <http://10.0.0.0> network. I thought I had it but I guess I don't. The rules are as follows...
# allow outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j ACCEPT # block all other outgoing telnet traffic /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and eth2 is the first port on card 2.
Right idea, but I think what you're actually looking for is the OUTPUT chain...could be wrong on that, though.
Regardless: the default policy for the base iptables chains is ACCEPT, so I'd narrow it down to a single rule by doing:
`iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 <http://10.0.0.0/8>--dport 23 -j DROP`
(If that doesn't work, then I was wrong about the output chain, and so try it with the FORWARD chain instead.)
Well, I get this error when using the rule you posted.
orson:~ # iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j DROP iptables v1.2.8: Can't use -i with OUTPUT I wandered through the man page and I thought that the " -i " might need to be " -o " instead but that didn't work either. I'm not that good with iptables because 99% of the time I use ipfw under Solaris and the syntax is much different and quite a bit more simple. If you or anyone who reads this have ideas. I'm open to them. -Ben -- Atheism is a non-prophet organization.