Sean Carolan wrote:
I would like to block all DNS queries that come from one particular ip address. I used TCPdump to verify that the queries were in fact, coming from this IP:
[scarolan@server:~]$ sudo tcpdump -n udp port 53 and src 10.100.1.1 tcpdump: listening on eth0 11:12:17.162100 10.100.1.1.19233 > 10.100.1.61.domain: 14270+ A? server.domain.com. (32) (DF)
Looks to me that you have a larger problem. Is this an rfc1918 address coming from the outside? You should be blocking ALL rfc1918 addresses from the Internet, as they are by definition an attack.
If this is from an internal source, go to that source and figure out what it is doing.
rfc1918 defines PRIVATE ipv4 addresses. These are not routed over the Internet. A packet with a source address in 'Net1' will never route out back to the sender. It is intended to attack (in some way) the destination.
Could someone help with the proper syntax for an IPtables rule to block port 53 udp traffic from this IP? I tried this rule but it doesn't work:
-A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos