iptables question

Printable View

12-11-2005
brother_mick

iptables question

I am running a small network at home, a box running debain 3.1, a box running windows xp, and the NAT/FIREWALL box also debian 3.1.

I`m running bind9 on the NAT box to do DNS and I`ve been trying to make a rule stop the dns server being seen on from the internet.

On the NAT the nic cards are as follows :

internet eth1
windows box eth0
debian box eth2

My attemp to achive this is this.

Code:

iptables -A INPUT -i eth1 -p tcp --dport 53 -j DROP

but nmap still says

PORT STATE SERVICE
53/tcp open domain

What am I doing wrong good people ???
12-16-2005
srerucha

From where do you scan the ports ? The command you've issued block only connections coming from internet. By the way, don't forget to block 53/udp as well -- most queries are done using udp.
12-17-2005
brother_mick

I`m scaning from a friends computer over the internet.

I`ll add a rule for UDP later. Thanks for reminding me :)
12-17-2005
srerucha

And in what order do you apply the rules ? Try

iptables -I INPUT 1 -i eth1 -p tcp --dport 53 -j DROP

to let the rule apply as first, before others.
12-19-2005
serz

I would just do..

Code:

iptables -A INPUT -p tcp --dport 53 -j DROP iptables -A INPUT -p udp --dport 53 -j DROP

That would block port 53 no matter from where you're trying to connect from.
12-20-2005
srerucha

Quote:

Originally Posted by serz

I would just do..

Code:

iptables -A INPUT -p tcp --dport 53 -j DROP iptables -A INPUT -p udp --dport 53 -j DROP

That would block port 53 no matter from where you're trying to connect from.

But I suppose that brother_nick would like to use DNS from the network behind, or not ?