iptables question

[brother_mick]

I am running a small network at home, a box running debain 3.1, a box running windows xp, and the NAT/FIREWALL box also debian 3.1.

I`m running bind9 on the NAT box to do DNS and I`ve been trying to make a rule stop the dns server being seen on from the internet.

On the NAT the nic cards are as follows :

internet eth1
windows box eth0
debian box eth2

My attemp to achive this is this.

Code:

iptables -A INPUT -i eth1 -p tcp --dport 53 -j DROP

but nmap still says

PORT STATE SERVICE
53/tcp open domain

What am I doing wrong good people ???

[srerucha]

From where do you scan the ports ? The command you've issued block only connections coming from internet. By the way, don't forget to block 53/udp as well -- most queries are done using udp.

[brother_mick]

I`m scaning from a friends computer over the internet.

I`ll add a rule for UDP later. Thanks for reminding me

[srerucha]

And in what order do you apply the rules ? Try

iptables -I INPUT 1 -i eth1 -p tcp --dport 53 -j DROP

to let the rule apply as first, before others.

[serz]

I would just do..

Code:

iptables -A INPUT -p tcp --dport 53 -j DROP
iptables -A INPUT -p udp --dport 53 -j DROP

That would block port 53 no matter from where you're trying to connect from.

[srerucha]

I would just do..

Code:

iptables -A INPUT -p tcp --dport 53 -j DROP
iptables -A INPUT -p udp --dport 53 -j DROP

That would block port 53 no matter from where you're trying to connect from.

But I suppose that brother_nick would like to use DNS from the network behind, or not ?