Yes, you just have to specifically name that website - by ip address, network address, or hostname. Note that rules are added to the table in the order they are given (if using the -A append option). A packet traverses each rule in a chain until it finds a rule it matches. So make sure if you want to specifically drop a host, do it before any ACCEPT rules or else an ACCEPT rule may let packets thru that you don't want. It's always a good idea to flush your rules to give yourself a clean slate and then add the rules you want in the sequence that they should be traversed. -Jeremy > -----Original Message----- > From: Advancewarning [mailto:advancewarning@swbell.net] > Sent: Friday, December 20, 2002 11:38 AM > To: Jeremy Fowler; KCLUG > Subject: Re: IPTABLES is driving me crazy!!! :P > > > so by if by default I drop everything and allow web in . Is there a way I > can just drop a certain website? > > > Mike > ----- Original Message ----- > From: "Jeremy Fowler" > To: "Advancewarning" ; "KCLUG" > Sent: Friday, December 20, 2002 10:49 AM > Subject: RE: IPTABLES is driving me crazy!!! :P > > > > When you set a chain's policy to DROP all packets are dropped, unless you > add a > > specific rule to accept those certain types of packets. So if you want > Internet > > access, you have to accept those types of packet - specifically outgoing > TCP > > packets with a destination port of 80 and then add a rule for the state > engine > > to accept the incoming reply packets. > > > > So > > > > # Drop *all* packets going across the FORWARD chain > > iptables -P FORWARD DROP > > # Except for RELATED and ESTABLISHED packets > > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > > # Except for NEW TCP packets with destination port 80 > > iptables -A FORWARD -m state NEW -p TCP --dport 80 -j ACCEPT > > > > > > > > Then just continue to add rules that accept only the types of packets you > want > > thru. This may sound extremely complex at first, and it is. It just takes > time > > to understand the syntax, structure, and meaning of each rule. Remember, > > firewall rules is both an art and a science. Getting proficient and > getting the > > rules right just takes time. Read the HOWTOs on netfilter.org, search > google for > > sample iptables firewall scripts (some people call them rc.firewall), and > > experiment. Remember this should be fun, so take your time. > > > > > > > > > > -----Original Message----- > > From: owner-kclug@marauder.illiana.net > > [mailto:owner-kclug@marauder.illiana.net]On Behalf Of Advancewarning > > Sent: Thursday, December 19, 2002 11:09 PM > > To: KCLUG > > Subject: IPTABLES is driving me crazy!!! :P > > > > > > First thing is first I want to set up all the Policys so that by default > they > > DROP. I did that. > > > > For some reason as soon as I set FORWARD to DROP I no longer have > INTERNET! > > > > If I leave it as ACCEPT it works > > > > Another thing is how do I get Apache to work? the only way it will is if I > set > > all thePolicies to ACCEPT. > > > > Also if I set OUTPUT to DROP I loose SSH capability. > > > > This is what I have set in order for it to work. Is there something I am > > missing here in order for all these to be set to DROP to work properly? > > > > > > Chain INPUT (policy DROP) > > target prot opt source destination > > LOG all -- anywhere anywhere LOG level > warning > > ACCEPT all -- muldersworld advancewarning.net > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > > > Thanks! > > Mike > > > > > > >