For some reason i am still able to surf the net when iptables set to drop UDP traffic. DNS is UDP and UDP is stateless so i don't know how i am able to use domain names. Whats going on? The rules are listed when i type iptables -L...

LAN_IP="192.168.5.4"
LAN_BROADCAST_ADDRESS="192.168.5.255"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
#WORMPORTS="31337,33270,1234,6711,16660,60001,12345,12346,1524,27665,27444,31335,6000,6001,6002"
IPTABLES="/sbin/iptables"
/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
echo "Clearing Tables..."
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
echo "Setting Policies & Chains..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
echo "Specifying Rules for Chains..."
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#$IPTABLES -A bad_tcp_packets -p tcp -m multiport --dport $WORMPORTS -j DROP
$IPTABLES -A tcp_packets -p tcp -s 0/0 -j DROP
$IPTABLES -A udp_packets -p udp -s 0/0 -j DROP
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
echo "INPUT Table Rules..."
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p all -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p all -i $LO_IFACE -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p all -d $LAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -j tcp_packets
$IPTABLES -A INPUT -p udp -i $LAN_IFACE -j udp_packets
$IPTABLES -A INPUT -p icmp -i $LAN_IFACE -j icmp_packets
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
echo "OUTPUT Table Rules..."
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p all -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p all -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
echo "Done."

well having had just a quick look you are saying that any established connection will be accepted so if you made the UDP connection then it will pass. Remember the rules run in order so if you want to drop things first and only if they have met certain conditions let them through then put that state rule at the end of one of your home made chains.

Thanks, your right the established or related rule should be at the bottom... But isn't UDP stateless and doesn't have any established or related states like TCP does? Shouldn't it UDP traffic be droped since it wouldn't be effected by that states rule?

Edit: If something is accepted it doesn't get filtered through any other chains?

UDP is called stateless (or connectionless) becasue it does not use sequence numbers. It can still be tracked however by the iptables connection tracking module.

There is still a reply needed on a particular socket (ip/port pair) and there is still timeouts for this connection.

In your case we can still tell if the the connection origintated from your machine and therefore pass the rule that checks if the connection is considered established.

Check out your /proc/net/ip_conntrack file for some examples of the sort of information the connection tracking module gets for each connection.

Thanks man, you right... I re-read the Iptables Tutorial and it said UDP was statless and didn't have those states but it didn't matter because conntrack can handle it like you said. I sort of forgot that part