If, for what reason ever (hopefully not for the purpose of security), you want to do filtering of MAC addresses, you can do this like this:
Source NAT is used, if you want to appear the packets coming from your host (say, 192.168.1.4) to come from an other host (say, 10.0.0.1). Source NAT obviously does not work with dynamic IPs, use masquerading for that.
This is similar like Source NAT, the difference is that the translated source IP is not known. It's advisable to explicitly only masquerade requests from the IP(s) you want to allow access:
If you want to have a internal host, say 192.168.1.4 reachable on the internet, you can forward incoming requests to its IP like this:
Wenn lokale Pakete (vom Rechner selbst) an diesen Port ebenfalls weitergeleitet werden sollen, muss zusätzlich diese Regel in die OUTPUT chain:
Setting up firewall rules for BIND is quite tricky, since it uses both
UDP and TCP traffic (queries less than 512 bytes are transferred using UDP.
Larger queries, like zone-transfers, are transferred using TCP)
with different ports.
You could force named to use only port 53 as source port, but this is not
recommended for security reasons.
$HOST is the IP of your machine sending the requests $DNS is the of the DNS serve you are using (e.g. the nameserver of your ISP)
This is needed if you operate your own DNS server, maybe as forwarder
$SERVER is the IP where BIND(named) is listing on port 53 for incoming DNS queries.
If you have a secondary DNS server that might request zone transfers, you'd have to add the TCP ports accordingly.