-4

I would like to block access to any DNS server (port 53) except for my own $DNS_IP1, $DNS_IP2. $DNS_IP1, $DNS_IP2 are not part of my IP range but are out IPs.

dawud
  • 15,096
  • 3
  • 42
  • 61
user2207891
  • 11
  • 1
  • 1

1 Answers1

6

This is trivial; googling would get you the answer. However, I will give it to you also.

Recognize that iptables goes down the chain until it finds a matching rule, and stops looking at further rules in a chain once it finds a matching one (which has a target that terminates the chain, as most do, LOG being a notable exception). Therefore, if your FORWARD filter chain (assuming this is for routed traffic; if it is for output traffic from a server use OUTPUT) has a default policy of drop, simply add rules to accept the traffic (I'll use 192.0.2.1 and 192.0.2.2 for the two DNS servers you like):

iptables -t filter -A FORWARD -d 192.0.2.1 -p udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -d 192.0.2.2 -p udp --dport 53 -j ACCEPT

If your default policy is accept, you will need a third rule after these (so that it is not matched by packets that match the preceding two rules):

iptables -t filter -A FORWARD -p udp --dport 53 -j DROP
Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • 2
    Falcon's point is excellent, and much misunderstood, but I should add that iptables works on a first-**dispositive**-match-wins basis; the first rule that matches any given packet *and has a target which disposes of the packet* terminates all further processing for that packet. If the matching rule's target is not dispositive (eg, `-j LOG`, or no target at all), processing continues for that packet. – MadHatter Jul 15 '13 at 06:52