I have put these four filters with iptables:
iptables -I FORWARD -p udp -i eth0 -j DROP
iptables -I FORWARD -p udp -o eth0 -j DROP
iptables -I INPUT -p udp -i eth0 -j DROP
iptables -I OUTPUT -p udp -o eth0 -j DROP
hoping to drop any udp packet on eth0, but when I do:
tcpdum udp -vv -i eth0
I still see UDP packages come and go.
Can anyone explain this? And tell me how to really drop UDP packages on a specific interface? (eth0 for example)
tcpdump captures the packets by tapping into the packet stream. It gets all packets even those that will be dropped by the firewall rules.
If you want to verify the traffic is being blocked, you should check on the network for outgoing traffic. You can test incoming traffic by setting up a listener and trying to send it traffic from the network. If your rules work, you should get different results with or without the rules in place. However, if you have a DROP policy, the results will be the same.
In iptables you could add logging or accept rules after the drop rules. Checking the the packet counts for the rules will tell you if anything is getting by the drop rules.
Are you sure you want to drop all UDP traffic? DNS tries UDP first and falls back to TCP only if necessary.
