Ted Fines wrote: > The OUTPUT chain only deals with packets originating from the firewall > itself. Your rule is fine, but you want to add it to the FORWARD chain > instead, which deals with packets going to/from your network to/from the > Internet: > iptables -A FORWARD -o ppp0 -d 63.211.210.20 -j DROP
Wouldn't this be better, assuming that it's only http traffic to block? iptables -A FORWARD -p tcp -o ppp0 -d 63.211.210.20 --dport 80 -j REJECT --reject-with tcp-reset With DROP, the clients tries several times to connect and then times out. With reject, he feels as if 63.211.210.20's http server was down and gives up immediately. Olaf
