Linux – iptables: trying to block port 53 but not working

iptableslinuxnetworking

I'm messing around with IP tables and I'm trying to do the following:

I have several hosts on the same network: 192.168.1.0/24. The DNS server is 192.168.1.1.

I'm trying to prevent all the hosts from making any DNS requests, either to 192.168.1.1 or to the internet (i.e. 8.8.8.8 Google DNS). I tried the following:

iptables -A OUTPUT -d 192.168.1.1 -p udp --dport 53 -j DROP
iptables -A INPUT -d 192.168.1.1 -p udp --dport 53 -j DROP
iptables -A FORWARD -d 192.168.1.1 -p udp --dport 53 -j DROP
iptables -A OUTPUT -d 192.168.1.0/24 -p udp --dport 53 -j DROP
iptables -A INPUT -d 192.168.1.0/24 -p udp --dport 53 -j DROP
iptables -A FORWARD -d 192.168.1.0/24 -p udp --dport 53 -j DROP
iptables -A OUTPUT -d 192.168.1.1 -p tcp --dport 53 -j DROP
iptables -A INPUT -d 192.168.1.1 -p tcp --dport 53 -j DROP
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 53 -j DROP
iptables -A OUTPUT -d 192.168.1.0/24 -p tcp --dport 53 -j DROP
iptables -A INPUT -d 192.168.1.0/24 -p tcp --dport 53 -j DROP
iptables -A FORWARD -d 192.168.1.0/24 -p tcp --dport 53 -j DROP

But none of them seem to work. Any ideas?

Best Answer

All you need is to add one rule (as shown below) to the OUTPUT table.

iptables -A OUTPUT -d 8.8.8.8 -p udp --dport 53 -j DROP

Here is a example where I tried to resolve my domain with and without the rule to illustrate it.

arul@cheetah:~$ dig +short selvans.net @8.8.8.8
76.185.134.208
arul@cheetah:~$ sudo iptables -F
arul@cheetah:~$ sudo iptables -A OUTPUT -d 8.8.8.8 -p udp --dport 53 -j DROP
arul@cheetah:~$ dig +short selvans.net @8.8.8.8
;; connection timed out; no servers could be reached
arul@cheetah:~$ sudo iptables -F
arul@cheetah:~$ dig +short selvans.net @8.8.8.8
76.185.134.208
Related Topic