#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Posts
    6
    Rep Power
    0

    DNS and iptables problem


    I have a problem. I just setup DNS for a test domain, and I can only get it to work with iptables service turned off.

    Here is my iptables -L:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT udp -- anywhere anywhere udp dpt:51
    ACCEPT tcp -- anywhere anywhere tcp dpt:51 flags:SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere tcp spt:domain
    ACCEPT udp -- anywhere anywhere udp spt:domain
    DROP all -- 62.94.122.251 anywhere
    DROP all -- 216.240.146.123 anywhere
    DROP all -- 149-242-189-209.managednetworks.com anywhere
    DROP all -- 212-165-141-44.reverse.newskies.net anywhere
    DROP all -- wdcsun23.usdoj.gov anywhere
    RH-Lokkit-0-50-INPUT all -- anywhere anywhere
    DROP all -- 216.240.146.129 anywhere
    DROP all -- 217.20.241.2 anywhere
    DROP all -- ool-18bcca3f.dyn.optonline.net anywhere
    DROP all -- pool-151-205-127-213.char.east.verizon.net anywhere
    DROP all -- pool-151-204-150-124.ny325.east.verizon.net anywhere
    DROP all -- h-64-105-94-106.SNVACAID.covad.net anywhere
    DROP all -- wdcsun25.usdoj.gov anywhere
    DROP all -- wdcsun27.usdoj.gov anywhere
    DROP all -- 149.101.0.0/16 anywhere
    DROP all -- 212-165-141-44.reverse.newskies.net anywhere
    DROP all -- 12.109.17.210 anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere tcp spt:domain
    ACCEPT udp -- anywhere anywhere udp spt:domain

    Chain RH-Lokkit-0-50-INPUT (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN
    ACCEPT udp -- stones.viawest.net anywhere udp spt:domain dpts:1025:65535
    ACCEPT udp -- cachens.den.viawest.net anywhere udp spt:domain dpts:1025:65535
    ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere tcp dpt:telnet flags:SYN,RST,ACK/SYN
    ACCEPT all -- anywhere anywhere
    REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
    REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
    REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
    REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
    REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
    REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
    swipe-- anywhere anywhere
    ACCEPT swipe-- anywhere anywhere

    Any ideas on what I'm doing wrong here?

    TIA,

    Alex
  2. #2
  3. Full Access
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jun 2000
    Location
    London, UK
    Posts
    2,019
    Rep Power
    16
    I have a problem. I just setup DNS for a test domain, and I can only get it to work with iptables service turned off.
    I presume you mean you're running a DNS server? If so, you need to accept incoming DNS traffic destined for port 53:
    Code:
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    Alex
    (http://www.alex-greg.com)
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Posts
    6
    Rep Power
    0

    All better


    Thanks, but I just solved the problem.

    Apparently I needed a rule for incoming UDP connections in the Lokkit, and the following line worked:

    iptables -I RH-Lokkit-0-50-INPUT -p udp --dport 53 -j ACCEPT

    Thanks again,

    Alex

IMN logo majestic logo threadwatch logo seochat tools logo