[CentOS] Help with iptables rule for blocking UDP port 53

Robert Moskowitz rgm at htt-consult.com
Tue Jul 15 16:34:29 UTC 2008

Sean Carolan wrote:
> I would like to block all DNS queries that come from one particular ip
> address.  I used TCPdump to verify that the queries were in fact,
> coming from this IP:
> [scarolan at server:~]$ sudo tcpdump -n udp port 53 and src
> tcpdump: listening on eth0
> 11:12:17.162100 >  14270+ A?
> server.domain.com. (32) (DF)

Looks to me that you have a larger problem. Is this an rfc1918 address 
coming from the outside? You should be blocking ALL rfc1918 addresses 
from the Internet, as they are by definition an attack.

If this is from an internal source, go to that source and figure out 
what it is doing.

rfc1918 defines PRIVATE ipv4 addresses. These are not routed over the 
Internet. A packet with a source address in 'Net1' will never route out 
back to the sender. It is intended to attack (in some way) the destination.

> Could someone help with the proper syntax for an IPtables rule to
> block port 53 udp traffic from this IP?  I tried this rule but it
> doesn't work:
> -A RH-Firewall-1-INPUT -s -m udp -p udp --dport 53 -j REJECT
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list