LinuxQuestions.org - Iptables user-defined chains

Hola,

Tonight i started making some firewall renovations to make the rules more manageable. I have created several different custom chains to segregate different rule sets from each other. Everything is going well with the exception of my DNS servers. I have posted my config for my firewall below.

Code:

# Generated by iptables-save v1.3.6 on Thu Jun 21 00:13:02 2007

*filter

:INPUT DROP [110:7953]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2214:1562876]

:BADHOST - [0:0]

:BADPORT - [0:0]

:GOODHOST - [0:0]

:SERVPORT - [0:0]

-A INPUT -j BADHOST

-A INPUT -j GOODHOST

-A INPUT -j SERVPORT

-A INPUT -j BADPORT

-A INPUT -i lo -j ACCEPT

-A INPUT -j LOG

-A BADHOST -s 59.0.0.0/255.0.0.0 -j DROP

-A BADHOST -s 222.0.0.0/255.0.0.0 -j DROP

-A BADHOST -s 125.0.0.0/255.0.0.0 -j DROP

-A BADHOST -s 207.38.5.161 -j DROP

-A BADHOST -s 204.15.193.132 -j DROP

-A BADHOST -s 220.166.64.216 -j DROP

-A BADHOST -s 64.146.9.218 -j DROP

-A BADHOST -s 218.0.0.0/255.0.0.0 -j DROP

-A BADHOST -s 87.0.0.0/255.0.0.0 -j DROP

-A BADHOST -s 122.0.0.0/255.0.0.0 -j DROP

-A BADHOST -s 122.124.128.141 -j DROP

-A BADHOST -s 69.93.167.202 -j DROP

-A BADHOST -s 66.98.254.217 -j DROP

-A BADHOST -s 64.146.9.218 -j DROP

-A BADPORT -p udp -m udp --dport 137:139 -j DROP

-A BADPORT -p tcp -m tcp --dport 139 -j DROP

-A BADPORT -p udp -m udp --dport 1025:1027 -j DROP

-A BADPORT -p udp -m udp --dport 67:68 -j DROP

-A BADPORT -p tcp -m tcp --dport 2967 -j DROP

-A BADPORT -p tcp -m tcp --dport 5900:5901 -j DROP

-A GOODHOST -s 70.60.0.0/255.252.0.0 -j ACCEPT

-A SERVPORT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A SERVPORT -d <WEB IP> -p tcp -m multiport --dports 22,80 -j ACCEPT

-A SERVPORT -d <WEB IP> -p tcp -m tcp --dport 80 -j ACCEPT

-A SERVPORT -d <DNS IP> -p udp -m udp --sport 53 --dport 53 -j ACCEPT

-A SERVPORT -d <DNS IP> -p tcp -m tcp --sport 53 --dport 53 -j ACCEPT

-A SERVPORT -d <MAIL IP> -p tcp -m multiport --dports 25,993 -j ACCEPT

-A SERVPORT -s <IP> -d <IP> -p udp -m multiport --dports 27500,27015 -j ACCEPT

-A SERVPORT -s <IP> -d <IP> -p udp -m udp --dport 27500 -j ACCEPT

COMMIT

I am not sure what i am missing... but i am obviously missing something.

EDIT: I see my stupid mistake. What are the chances of the source port being 53? ;)

If someone would like to point out a way to make these rules better, i am open for suggestions.