I mistakenly setup open resolver DNS server, which was soon used for a bunch of DDoS attacks originating somewhere from / to Russia. For that reason I completely blocked port 53 on both DNS servers for everyone except for trusted IP's. It does work, in that I am not able to connect to them anymore, but what seems weird to me is that when I run tcpdump on eth1
(which is interface on server with public Internet) I see lots of incoming packets from attacker to port 53.
Is it normal that tcpdump displays these packets even if iptables drops them? Or did I configure iptables wrongly?
On other hand I don't see any outgoing packets from my server, which I did before, so I suppose that the firewall is kind of working. It just surprises me that the kernel doesn't drop packets entirely? Or is tcpdump
hooked to the kernel in a way that it sees the packets even before they get to iptables?