Link to home
Start Free TrialLog in
Avatar of phasevar
phasevar

asked on

iptables: filtering wan traffic on port 53

Using iptables I want to block all traffic going to port 53 with a source address that is outside of my subnet.
Avatar of Kelly Black
Kelly Black
Flag of United States of America image

Normally this works the other way around. You would drop all traffic, then explicitly allow traffic you DO want.

Be very careful dropping traffic on port 53, which is DNS, or some of your systems will not be able to communicate with the DNS resolver. Playing with DNS ports is a quick and easy way to break things!
(Note that port 953 is RNDC DNS controller ports, which may be associated as well)

Anyway, here is what you are looking for:
(Change 0/0 to the IP Address or CIDR name of the network you wish to block)

These rules stop INGRESS or INBOUND traffic:

IPTABLES -A INPUT -p tcp -s 0/0 --dport 53 -j DROP
IPTABLES -A INPUT -p udp -s 0/0 --dport 53 -j DROP

IPTABLES -A INPUT -p tcp -s 0/0 --dport 953 -j DROP
IPTABLES -A INPUT -p udp -s 0/0 --dport 953 -j DROP

These stop FORWARD traffic:
IPTABLES -A FORWARD -p tcp -s 0/0 --dport 53 -j DROP
IPTABLES -A FORWARD -p udp -s 0/0 --dport 53 -j DROP

IPTABLES -A FORWARD -p tcp -s 0/0 --dport 953 -j DROP
IPTABLES -A FORWARD -p udp -s 0/0 --dport 953 -j DROP

These stop OUTPUT:

IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 53 -j DROP
IPTABLES -A OUTPUT -p udp -s 0/0 --dport 53 -j DROP

IPTABLES -A OUTPUT -p tcp -s 0/0 --dport 953 -j DROP
IPTABLES -A OUTPUT -p udp -s 0/0 --dport 953 -j DROP

Recommend you use an IP Tables script like JLevie's here on EE and then explicitely allow traffic you want.

Avatar of phasevar
phasevar

ASKER

Actually, that's what I meant.  I want to drop all traffic, but allow traffic from my subnet.
ASKER CERTIFIED SOLUTION
Avatar of Kelly Black
Kelly Black
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial