> > Add a logging rule just before dropping packets for a given chain. # append new rule to end of INPUT chain before DROP policy catches it # See also: iptables(8) iptables -A INPUT -j LOG --prefix Dropping -m limit --limit 10/second iptables -A FORWARD -j LOG --prefix Dropping -m limit --limit 10/second iptables -A OUTPUT -j LOG --prefix Dropping -m limit --limit 10/second Essentially, you can add a log rule right before any of your accept rules as well. Instead of using -j ACCEPT, you use -j LOG. If you don't want to screw with your firewall, I suggest you install wireshark or tcpdump and watch your eth1 interface for DNS requests, just to make sure they're coming in. You could also create a rule that counts request for DNS entries on the eth1 interface. iptables -I INPUT -i eth1 -j LOG -p tcp --dport 53 -m limit --limit 10/sec iptables -I INPUT -i eth1 -j ACCEPT -p udp --dport 53 iptables -I INPUT -i eth1 -j LOG -p udp --dport 53 -m limit --limit 10/sec iptables -I INPUT -i eth1 -j ACCEPT -p tcp --dport 53 Maybe create a chain for logging ACCEPT or DROP. iptables -N LogAccept iptables -A LogAccept -j LOG --prefix Accepting -m limit --limit 10/second iptables -A LogAccept -j ACCEPT iptables -N LogDrop iptables -A LogDrop -j LOG --prefix Dropping -m limit --limit 10/second iptables -A LogDrop -j DROP Create one for DNS iptables -A INPUT -i eth1 -j LogAccept -p tcp --dport 53 iptables -A INPUT -i eth1 -j LogAccept -p udp --dport 53 # And the last rule... iptables -A INPUT -i eth1 -j LogDrop Enjoy! -- Chad Walstrom <chewie at wookimus.net> http://www.wookimus.net/ assert(expired(knowledge)); /* core dump */