Hi, > please post the output of "iptables -vnL". We're talking about users on that PC, not those using it as a gateway/router/bridge/whatever, correct? YES Output of iptables -nvL is: #iptables -nvL Chain INPUT (policy ACCEPT 24 packets, 1440 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 OWNER UID match 0 9 540 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 TnR Hiren On 3/28/06, Hans-Werner Hilse wrote: > > Hi, > > On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" > wrote: > > > I did this: > > [...] > > #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT > > #iptables -A OUTPUT -j DROP > > [...] > > Still other users including root can ping other PCs. Why is this not > > working? > > please post the output of "iptables -vnL". We're talking about users on > that PC, not those using it as a gateway/router/bridge/whatever, > correct? > > > Also I have some diffulties understanding Connection Tracking(NEW, > > ESTABLISHED, RELATED, INVALID) concept. > > Those are protocol dependant. I really think that those are well > described even in iptables man page. Basically, you'll want sth like > this: > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > and maybe the same for FORWARD. Of course, for FORWARD, you'll want to > match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even > don't impose any restrictions for outgoing connections). > > > Any practical guide available on internet for iptables??? > > Lots. That "practical" depends on the problem faced which you didn't > describe at all. So del.icio.us would be my first hint, Google follows: > > http://del.icio.us/tag/netfilter > http://www.google.com/search?q=netfilter > > (note that the concept is usually referred to as "netfilter") > > -hwh > -- > gentoo-user@gentoo.org mailing list > >