[CentOS] Iptables not blocking UDP port 53

Sean Carolan scarolan at gmail.com
Thu Jul 10 19:51:35 UTC 2008

I'm attempting to block access to port 53 from internet hosts for an
internal server.  This device is behind a gateway router so all
traffic appears to come from source ip  Here are my
(non-working) iptables rules:

-A RH-Firewall-1-INPUT -s -m tcp -p tcp --dport 53 -j REJECT
-A RH-Firewall-1-INPUT -s -m udp -p udp --dport 53 -j REJECT

Further down the ruleset I have these rules to allow traffic from
everyone else.  If these rules are removed then nobody can make
queries, because of the final default REJECT rule.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

I have used tcpdump and confirmed that packets are in fact still
coming across from internet hosts.  What am I doing wrong?

[scarolan at host:~]$ sudo tcpdump -n udp port 53 | grep
tcpdump: listening on eth0
14:46:40.539995 >  62011+ A?
server.domain.com. (32) (DF)

More information about the CentOS mailing list