Sean Carolan wrote:
I'm attempting to block access to port 53 from internet hosts for an internal server. This device is behind a gateway router so all traffic appears to come from source ip 10.100.1.1. Here are my (non-working) iptables rules:
-A RH-Firewall-1-INPUT -s 10.100.1.1 -m tcp -p tcp --dport 53 -j REJECT -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT
Further down the ruleset I have these rules to allow traffic from everyone else. If these rules are removed then nobody can make queries, because of the final default REJECT rule.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
I have used tcpdump and confirmed that packets are in fact still coming across from internet hosts. What am I doing wrong?
[scarolan@host:~]$ sudo tcpdump -n udp port 53 | grep 10.100.1.1 tcpdump: listening on eth0 14:46:40.539995 10.100.1.1.60793 > 10.100.1.61.domain: 62011+ A? server.domain.com. (32) (DF)
Are you running tcpdump on the same machine that is doing the filtering? You do realize that tcpdump sees the packets as they come from the interface and before they are passed to the filter rules, right?
Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show your REJECT rules being hit?