ejabberd likes to listen on multiple TCP ports and bind to 0.0.0.0. I can't stop it from binding because then it can't do it's own IPC but I don't want to expose it to the world. Below is the script that I am currently using, the result of this is that the client that connects to one of the undesired ports just gets no response. I can't use -mowner in an INPUT chain. Is there any way I can convert a SYN/ACK to a RST on the way out? iptables -F OUTPUT iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT # limit ejabberd iptables -A OUTPUT -p tcp --sport 5222 -j ACCEPT iptables -A OUTPUT -p tcp --sport 5269 -j ACCEPT iptables -A OUTPUT -p tcp -mowner --uid-owner 203 -j REJECT --reject-with tcp- reset -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/