[CentOS] Re: Iptables not blocking UDP port 53
Robert Nichols
rnicholsNOSPAM at comcast.net
Fri Jul 11 04:05:04 UTC 2008
Sean Carolan wrote:
>> Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show
>> your REJECT rules being hit?
>
> Yes, the rule gets hit and it returns an answer to the DNS query
> anyway. I saw it increment from 10 to 11 when I ran the query:
>
> 11 692 REJECT udp -- * * 10.100.1.1
> 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
I seriously doubt that the response came from this machine since
the packet that hit that rule died right there. Does the machine
that sent the request have a secondary DNS server configured?
The REJECT response would have resulted in an immediate query to
the next server.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the CentOS
mailing list