Recipe 2.9 Blocking Outgoing Access to All Web Servers on a Network

2.9.1 Problem

You want to prevent outgoing access to a network, e.g., all web servers at

2.9.2 Solution

Figure out how to specify the network, e.g.,, and reject web access:

For iptables:

# iptables -A OUTPUT -p tcp -d --dport www -j REJECT

For ipchains:

# ipchains -A output -p tcp -d --dport www -j REJECT

2.9.3 Discussion

Here the network is specified using Classless InterDomain Routing (CIDR) mask format, a.b.c.d/N, where N is the number of bits in the netmask. In this case, N=24, so the first 24 bits are the network portion of the address.

2.9.4 See Also

iptables(8), ipchains(8).

You can supply hostnames instead of IP addresses in your firewall rules. If DNS reports multiple IP addresses for that hostname, a separate rule will be created for each IP address. For example, has (at this writing) 11 IP addresses:

$ host is an alias for has address has address

So you could block access to Yahoo, for example, and view the results by:


# iptables -A OUTPUT -d -j REJECT
# iptables -L OUTPUT


# ipchains -A output -d -j REJECT
# ipchains -L output

Security experts recommend that you use only IP addresses in your rules, not hostnames, since an attacker could poison your DNS and circumvent rules defined for hostnames. However, the hostnames are relevant only at the moment you run iptables or ipchains to define a rule, as the program looks up the underlying IP addresses immediately and stores them in the rule. So you could conceivably use hostnames for convenience when defining your rules, then check the results (via the output of iptables-save or ipchains-save [Recipe 2.19]) to confirm the IP addresses.

    Chapter 9. Testing and Monitoring