I'm attempting to block access to port 53 from internet hosts for an internal server. This device is behind a gateway router so all traffic appears to come from source ip 10.100.1.1. Here are my (non-working) iptables rules: -A RH-Firewall-1-INPUT -s 10.100.1.1 -m tcp -p tcp --dport 53 -j REJECT -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT Further down the ruleset I have these rules to allow traffic from everyone else. If these rules are removed then nobody can make queries, because of the final default REJECT rule. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT I have used tcpdump and confirmed that packets are in fact still coming across from internet hosts. What am I doing wrong? [scarolan at host:~]$ sudo tcpdump -n udp port 53 | grep 10.100.1.1 tcpdump: listening on eth0 14:46:40.539995 10.100.1.1.60793 > 10.100.1.61.domain: 62011+ A? server.domain.com. (32) (DF)
Sean Carolan wrote:> I'm attempting to block access to port 53 from internet hosts for an > internal server. This device is behind a gateway router so all > traffic appears to come from source ip 10.100.1.1. Here are my > (non-working) iptables rules: > > -A RH-Firewall-1-INPUT -s 10.100.1.1 -m tcp -p tcp --dport 53 -j REJECT > -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT > > Further down the ruleset I have these rules to allow traffic from > everyone else. If these rules are removed then nobody can make > queries, because of the final default REJECT rule. > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT > > I have used tcpdump and confirmed that packets are in fact still > coming across from internet hosts. What am I doing wrong? > > [scarolan at host:~]$ sudo tcpdump -n udp port 53 | grep 10.100.1.1 > tcpdump: listening on eth0 > 14:46:40.539995 10.100.1.1.60793 > 10.100.1.61.domain: 62011+ A? > server.domain.com. (32) (DF)Are you running tcpdump on the same machine that is doing the filtering? You do realize that tcpdump sees the packets as they come from the interface and before they are passed to the filter rules, right? Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show your REJECT rules being hit? -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.
Sean Carolan wrote:> I'm attempting to block access to port 53 from internet hosts for an > internal server. This device is behind a gateway router so all > traffic appears to come from source ip 10.100.1.1. Here are my > (non-working) iptables rules: >If it is behind a gateway router, how is port 53 traffic getting from the internet to that DNS server in the first place. Also ... IF you are PORT FORWARDING port 53 from the internet to the DNS server, then the SOURCE IP will not be the IP of the forwarding device, but the IP of the machine making the request. If this device is really behind a firewall why are you even forwarding any traffic to it from port 53 in the first palce? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080711/7d9e97e7/attachment-0002.sig>
On Fri, Jul 11, 2008 at 7:03 PM, Johnny Hughes <jhughes at hughesjr.com> wrote:> Sean Carolan wrote: >> >> I'm attempting to block access to port 53 from internet hosts for an >> internal server. This device is behind a gateway router so all >> traffic appears to come from source ip 10.100.1.1. Here are my >> (non-working) iptables rules: >> > > If it is behind a gateway router, how is port 53 traffic getting from the > internet to that DNS server in the first place. > > Also ... IF you are PORT FORWARDING port 53 from the internet to the DNS > server, then the SOURCE IP will not be the IP of the forwarding device, but > the IP of the machine making the request. > > If this device is really behind a firewall why are you even forwarding any > traffic to it from port 53 in the first palce? > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >Assuming a SOHO LinkSys firewall preferably with dd-wrt alternative firmware. Are you sure this DNS Server is not in the DMZ? Are you sure the port isn't opened under the UPnP section? It is conceivable that mDNS / AVAHI with a UPnP router automatically open this port on the firewall.