On Fri, 04 Nov, 2005 at 11:03:09 -0800, Ben Rosenberg wrote:
orson:~ # iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8<http://10.0.0.0/8>--dport 23 -j DROP iptables v1.2.8: Can't use -i with OUTPUT
I wandered through the man page and I thought that the " -i " might need to be " -o " instead but that didn't work either.
I think you might want to --insert rather than --append your rule to the OUTPUT chain. jon@a13:~> telnet 10.0.0.1 Trying 10.0.0.1... telnet: connect to address 10.0.0.1: Connection refused If I; `iptables -A OUTPUT -p tcp -d 10.0.0.0/8 --dport 23 -j DROP` I still get; jon@a13:~> telnet 10.0.0.1 Trying 10.0.0.1... telnet: connect to address 10.0.0.1: Connection refused But if I; `iptables -I OUTPUT -p tcp -d 10.0.0.0/8 --dport 23 -j DROP` I get; jon@a13:~> telnet 10.0.0.1 Trying 10.0.0.1... Try this; `iptables -I OUTPUT -p tcp -o eth2 -d ! 10.0.0.0/8 --dport 23 -j DROP` HTH /Jon -- YMMV