[CentOS] Help with iptables rule for blocking UDP port 53
rgm at htt-consult.com
Tue Jul 15 16:34:29 UTC 2008
Sean Carolan wrote:
> I would like to block all DNS queries that come from one particular ip
> address. I used TCPdump to verify that the queries were in fact,
> coming from this IP:
> [scarolan at server:~]$ sudo tcpdump -n udp port 53 and src 10.100.1.1
> tcpdump: listening on eth0
> 11:12:17.162100 10.100.1.1.19233 > 10.100.1.61.domain: 14270+ A?
> server.domain.com. (32) (DF)
Looks to me that you have a larger problem. Is this an rfc1918 address
coming from the outside? You should be blocking ALL rfc1918 addresses
from the Internet, as they are by definition an attack.
If this is from an internal source, go to that source and figure out
what it is doing.
rfc1918 defines PRIVATE ipv4 addresses. These are not routed over the
Internet. A packet with a source address in 'Net1' will never route out
back to the sender. It is intended to attack (in some way) the destination.
> Could someone help with the proper syntax for an IPtables rule to
> block port 53 udp traffic from this IP? I tried this rule but it
> doesn't work:
> -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT
> CentOS mailing list
> CentOS at centos.org
More information about the CentOS