Incidentally, a different OS has a newer version of iptables 1.4.18-1.1ubuntu1, but still works the old way where SRC still matches SRC,DST. On Wed, Dec 10, 2014 at 2:03 AM, Rob Townley <rob.townley at gmail.com> wrote: > Appears the iptables update 1.4.7-14 which came with CentOS6 r6 is the > most likely culprit. > > The solution for now is: > delete ',dst' from the iptables INPUT chain > delete 'src,' from the iptables OUTPUT chain. > > > > > On Mon, Dec 8, 2014 at 5:39 PM, Rob Townley <rob.townley at gmail.com> wrote: > >> i created an ipset and added 8.8.8.8 to it and used the same iptables >> working all summer long but >> i can still ping 8.8.8.8 and do nslookup queries against it. ipset or >> iptables is broken. >> Anybody else rebooted since ipset-6.11-3.el6.i686 was installed and >> actually tested that IP addresses that are supposed to be blacklisted are >> actually blocked? >> >> >> Filed CentOS bug report 7977 <http://bugs.centos.org/view.php?id=7977> >> this morning. ipset was working great most of the year until ipset 6.11.-3 >> CentOS bug 7977 <http://bugs.centos.org/view.php?id=7977> >> > >