I mistakenly setup open resolver DNS server, which was soon used for bunch of DDoS attacks originating somewhere from / to Russia. For that reason I completely blocked port 53 on both DNS servers for everyone except for trusted IP's. It does work, I am not able to connect to them anymore, but what seems weird to me is that when I run tcpdump on eth1 (which is interface on server with public Internet) I see lots of incoming packets from attacker to port 53.

Is it normal that tcpdump display these packets even if iptables drop them? Or did I configure iptables wrong?

On other hand I don't see any outgoing packets from my server, which I did before, so I suppose that firewall is kind of working. It just surprise me that kernel doesn't drop packets entirely? Or is tcpdump hooked to kernel in a way that it sees the packets even before they get to iptables?

I mistakenly setup open resolver DNS server, which was soon used for a bunch of DDoS attacks originating somewhere from / to Russia. For that reason I completely blocked port 53 on both DNS servers for everyone except for trusted IP's. It does work, in that I am not able to connect to them anymore, but what seems weird to me is that when I run tcpdump on eth1 (which is interface on server with public Internet) I see lots of incoming packets from attacker to port 53.

Is it normal that tcpdump displays these packets even if iptables drops them? Or did I configure iptables wrongly?

On other hand I don't see any outgoing packets from my server, which I did before, so I suppose that the firewall is kind of working. It just surprises me that the kernel doesn't drop packets entirely? Or is tcpdump hooked to the kernel in a way that it sees the packets even before they get to iptables?

I mistakenly setup open resolver DNS server, which was soon used for bunch of DDoS attacks originating somewhere from / to russia. For that reason I completely blocked port 53 on both DNS servers for everyone except for trusted IP's. It does work, I am not able to connect to them anymore, but what seems weird to me is that when I run tcpdump on eth1 (which is interface on server with public internet) I see lots of incoming packets from attacker to port 53.

Is it normal that tcpdump display these packets even if iptables drop them? Or did I configure iptables wrong?

On other hand I don't see any outgoing packets from my server, which I did before, so I suppose that firewall is kind of working. It just surprise me that kernel doesn't drop packets entirely? Or is tcpdump hooked to kernel in a way that it sees the packets even before they get to iptables?

I mistakenly setup open resolver DNS server, which was soon used for bunch of DDoS attacks originating somewhere from / to Russia. For that reason I completely blocked port 53 on both DNS servers for everyone except for trusted IP's. It does work, I am not able to connect to them anymore, but what seems weird to me is that when I run tcpdump on eth1 (which is interface on server with public Internet) I see lots of incoming packets from attacker to port 53.

Is it normal that tcpdump display these packets even if iptables drop them? Or did I configure iptables wrong?

On other hand I don't see any outgoing packets from my server, which I did before, so I suppose that firewall is kind of working. It just surprise me that kernel doesn't drop packets entirely? Or is tcpdump hooked to kernel in a way that it sees the packets even before they get to iptables?