>NAMESERVER_IP1=`egrep -n nameserver /etc/resolv.conf | grep 2: - |gawk -F" " '{print $2}'` >echo "NAMESERVER_IP1 is $NAMESERVER_IP1" >NAMESERVER_IP2=`egrep -n nameserver /etc/resolv.conf | grep 3: - |gawk -F" " '{print $2}'` >echo "NAMESERVER_IP2 is $NAMESERVER_IP2" This is nice, I like this very much!!! >$IPCHAINS -A input -p udp -s $NAMESERVER_IP1 -d $OUTERNET 53 -j ACCEPT >$IPCHAINS -A input -p udp -s $NAMESERVER_IP2 -d $OUTERNET 53 -j ACCEPT I don’t understand why you have this here. There should be no reason for your ISP’s DNS servers to initiate a connection to your DNS server. If your DNS server is THE DNS server for your own domain name (i.e. Internic points lookups for you domain name to your DNS server) then you will need to allow all incoming connections to your DNS server on port 53. If your DNS server is only used by clients on your internal network to do lookups, so you do not have to rely on your ISPs DNS servers, then you do not need to allow these incoming connections from your ISPs DNS servers. ># DNS REJECT/DENY rules can go here.... ># REJECT input udp from everywhere else... >$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 53 -j REJECT What is $REMOTENET? I think you should remove “–s $REMOTENET” and replace it with “-i $EXTERNAL_INTERFACE”, where $EXTERNAL_INTERFACE is your interface directly connected to the internet (i.e. ETH0). You can leave “–s $REMOTENET” if $REMOTENET is “any”. ># Now allow outgoing requests... >$IPCHAINS -A output -p udp -s $REMOTENET -d $OUTERNET 53 -j ACCEPT For this I think you should change “–s $REMOTENET” to “-s $INTERNAL_IP_RANGE”, where $INTERNAL_IP_RANGE is the range of IP addresses you use on your internal network (i.e. 172.16.1.0/24). And I would also add “-i $INTERNAL_INTERFACE” , where $INTERNAL_INTERFACE is your interface directly connected to internal network (i.e. ETH1). This way you are only allowing systems on your internal network to connect to your DNS. "Linux is for people who hate Windows. BSD is for people that love unix."