iptables & dns resolution - Security

This is a discussion on iptables & dns resolution - Security ; I am just beginning to learn how to use iptables as a firewall for one of my servers. In doing so, I have run into a bit of a roadblock that I hope I can get some assistance with. The ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: iptables & dns resolution

  1. iptables & dns resolution

    I am just beginning to learn how to use iptables as a firewall for one
    of my servers. In doing so, I have run into a bit of a roadblock that
    I hope I can get some assistance with. The server that I am working
    with acts as a DNS. At this point, clients are able to make DNS
    requests to this server and get a proper response. However, the server
    is unable to make DNS queries to other servers. Here is what I have in
    my iptables:

    iptables -A INPUT -i eth0 -p UDP --dport domain -m state --state
    NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i eth0 -p TCP --dport domain -m state --state
    NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p UDP --sport domain -m state --state
    NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p TCP --sport domain -m state --state
    NEW,ESTABLISHED -j ACCEPT

    What am I missing here?


  2. Re: iptables & dns resolution

    Okay, I guess I just needed to put a little more thought into this...
    or perhaps have another cup of coffee.

    The solution, or my solution, was to add the following:
    iptables -A INPUT -i eth0 -p UDP --sport domain -m state --state
    NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i eth0 -p TCP --sport domain -m state --state
    NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p UDP --dport domain -m state --state
    NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p TCP --dport domain -m state --state
    NEW,ESTABLISHED -j ACCEPT


  3. Re: iptables & dns resolution

    for i in tcp udp; do
    iptables -A INPUT -i eth0 -p $i --sport domain -m state --state NEW -j
    ACCEPT
    iptables -A INPUT -i eth0 -p $i --dport doman -m state --state NEW -j
    ACCEPT
    iptables -A OUTPUT -o eth0 -p $i --sport domain -m state --state NEW -j
    ACCEPT
    iptables -A OUTPUT -o eth0 -p $i --dport doman -m state --state NEW -j
    ACCEPT
    done
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED.ESTABLISHED -j ACCEPT

    because your server will have to anwser TO dns requests. And do DNS
    requests to other servers as well.


+ Reply to Thread