[CentOS] Re: Iptables not blocking UDP port 53

Thu Jul 10 20:51:53 UTC 2008
Sean Carolan <scarolan at gmail.com>

> Are you running tcpdump on the same machine that is doing the filtering?
> You do realize that tcpdump sees the packets as they come from the
> interface and before they are passed to the filter rules, right?

I had forgotten this important piece of information.  Thank you for
pointing this out.  The packets still seem to be getting through to
the BIND daemon, however, because I can still query the box from the
Internet.

> Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show
> your REJECT rules being hit?

Yes, the rule gets hit and it returns an answer to the DNS query
anyway.  I saw it increment from 10 to 11 when I ran the query:

11   692 REJECT     udp  --  *      *       10.100.1.1
0.0.0.0/0          udp dpt:53 reject-with icmp-port-unreachable