Sean Carolan
2008-Jul-15 16:15 UTC
[CentOS] Help with iptables rule for blocking UDP port 53
I would like to block all DNS queries that come from one particular ip address. I used TCPdump to verify that the queries were in fact, coming from this IP: [scarolan at server:~]$ sudo tcpdump -n udp port 53 and src 10.100.1.1 tcpdump: listening on eth0 11:12:17.162100 10.100.1.1.19233 > 10.100.1.61.domain: 14270+ A? server.domain.com. (32) (DF) Could someone help with the proper syntax for an IPtables rule to block port 53 udp traffic from this IP? I tried this rule but it doesn't work: -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT
Robert Moskowitz
2008-Jul-15 16:34 UTC
[CentOS] Help with iptables rule for blocking UDP port 53
Sean Carolan wrote:> I would like to block all DNS queries that come from one particular ip > address. I used TCPdump to verify that the queries were in fact, > coming from this IP: > > [scarolan at server:~]$ sudo tcpdump -n udp port 53 and src 10.100.1.1 > tcpdump: listening on eth0 > 11:12:17.162100 10.100.1.1.19233 > 10.100.1.61.domain: 14270+ A? > server.domain.com. (32) (DF) >Looks to me that you have a larger problem. Is this an rfc1918 address coming from the outside? You should be blocking ALL rfc1918 addresses from the Internet, as they are by definition an attack. If this is from an internal source, go to that source and figure out what it is doing. rfc1918 defines PRIVATE ipv4 addresses. These are not routed over the Internet. A packet with a source address in 'Net1' will never route out back to the sender. It is intended to attack (in some way) the destination.> Could someone help with the proper syntax for an IPtables rule to > block port 53 udp traffic from this IP? I tried this rule but it > doesn't work: > > -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
Sean Carolan wrote:> I would like to block all DNS queries that come from one particular ip > address. I used TCPdump to verify that the queries were in fact, > coming from this IP: > > [scarolan at server:~]$ sudo tcpdump -n udp port 53 and src 10.100.1.1 > tcpdump: listening on eth0 > 11:12:17.162100 10.100.1.1.19233 > 10.100.1.61.domain: 14270+ A? > server.domain.com. (32) (DF) > > Could someone help with the proper syntax for an IPtables rule to > block port 53 udp traffic from this IP? I tried this rule but it > doesn't work: > > -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT >Strange...your rule seems ok to me. Try with DROP instead of REJECT ?