Find the answer to your Linux question:
Results 1 to 6 of 6
I am running a small network at home, a box running debain 3.1, a box running windows xp, and the NAT/FIREWALL box also debian 3.1. I`m running bind9 on the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! brother_mick's Avatar
    Join Date
    Jun 2005
    Location
    United Kingdom
    Posts
    65

    iptables question


    I am running a small network at home, a box running debain 3.1, a box running windows xp, and the NAT/FIREWALL box also debian 3.1.

    I`m running bind9 on the NAT box to do DNS and I`ve been trying to make a rule stop the dns server being seen on from the internet.

    On the NAT the nic cards are as follows :

    internet eth1
    windows box eth0
    debian box eth2

    My attemp to achive this is this.

    Code:
    iptables -A INPUT -i eth1 -p tcp --dport 53 -j DROP
    but nmap still says

    PORT STATE SERVICE
    53/tcp open domain

    What am I doing wrong good people ???

  2. #2
    Just Joined! srerucha's Avatar
    Join Date
    Jun 2005
    Location
    Brno, Czech republic
    Posts
    58
    From where do you scan the ports ? The command you've issued block only connections coming from internet. By the way, don't forget to block 53/udp as well -- most queries are done using udp.

  3. #3
    Just Joined! brother_mick's Avatar
    Join Date
    Jun 2005
    Location
    United Kingdom
    Posts
    65
    I`m scaning from a friends computer over the internet.

    I`ll add a rule for UDP later. Thanks for reminding me

  4. #4
    Just Joined! srerucha's Avatar
    Join Date
    Jun 2005
    Location
    Brno, Czech republic
    Posts
    58
    And in what order do you apply the rules ? Try

    iptables -I INPUT 1 -i eth1 -p tcp --dport 53 -j DROP

    to let the rule apply as first, before others.

  5. #5
    Linux Engineer
    Join Date
    Apr 2005
    Location
    Buenos Aires, Argentina
    Posts
    908
    I would just do..
    Code:
    iptables -A INPUT -p tcp --dport 53 -j DROP
    iptables -A INPUT -p udp --dport 53 -j DROP
    That would block port 53 no matter from where you're trying to connect from.
    serzsite.com.ar
    "All the drugs in this world won\'t save you from yourself"

  6. #6
    Just Joined! srerucha's Avatar
    Join Date
    Jun 2005
    Location
    Brno, Czech republic
    Posts
    58
    Quote Originally Posted by serz
    I would just do..
    Code:
    iptables -A INPUT -p tcp --dport 53 -j DROP
    iptables -A INPUT -p udp --dport 53 -j DROP
    That would block port 53 no matter from where you're trying to connect from.
    But I suppose that brother_nick would like to use DNS from the network behind, or not ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •