1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this the correct line for a block outgoing iptables firewall script?

Discussion in 'Tomato Firmware' started by Sunspark, Dec 30, 2007.

  1. Sunspark

    Sunspark LI Guru Member

    They were talking about how Adobe is phoning home to some fake Overture spyware server.

    Someone said:
    "block from any to"

    Ok, so I thought to myself let's twiddle. So lazyweb, without even looking at the iptables man page, just various web pages, is this correct?:

    iptables -A OUTPUT -d -j DROP
  2. u3gyxap

    u3gyxap Network Guru Member

    iptables -I FORWARD -d -j DROP
  3. Sunspark

    Sunspark LI Guru Member

    Ok I'm curious about something here.. (I did more reading and will state what I learned so others can learn too.. please correct any errors..)

    -A means append at end of table of rules
    -I means insert.. usually with a #.. w/ no # is rule 1 at the top of the set

    OUTPUT is for packets going out from router processes only
    FORWARD is for packets to be forwarded across the router

    DROP is reject w/o answer (pretend network problems, routine may try again)
    REJECT is reject w/ icmp answer (gets response that it's call was understood)

    So I am in agreement with your correction. Thanks! I am wondering if you think reject (the idea being more transparent) is better than drop for 'phone home' programs as so:

    iptables -I FORWARD -d -j REJECT --reject-with icmp-port-unreachable
  4. u3gyxap

    u3gyxap Network Guru Member

    If you use REJECT instead of DROP, the software will know that there is internet connection available to you.

Share This Page