Re: How do I configure iptables to allow DNS lookups?

Thu, 07 Aug 2003 18:08:19 -0700 

On Wed, 6 Aug 2003, Malcolm Ferguson wrote:

> I'm trying to configure iptables as strictly as possible, however, I'm
> having problems with DNS.  If I understand correctly how DNS works, the
> client sends a UDP packet from a high number port to port 53 on the name
> server.  The name server responds with a UDP packet back to that high
> number port.  Is this correct?
>
> I have /etc/resolv.conf containing a nameserver entry.  I also have some
> name servers listed in the forwarders section of /etc/bind/named.conf.
> Is there a way to configure both bind and the normal name resolver (how
> does it work???) to always use the same port?  Or, do I have to add a
> rule to the INPUT chain that ACCEPTS anything UDP from the name server?
> Obviously the name server isn't on the local LAN.

Hi Malcolm,

Contrary to common belief DNS is not UDP only. Once in a while a normal
query will be to large and then TCP packets are used. So TCP is not
exclusively for zone-transfers.

Here's what I use in my iptables-script:

  if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o $PUB_IFACE -p udp \
             -s $PUB_IP --sport $EPHEMERAL_PORTS \
             -d $IP --dport 53 \
             -m state --state NEW -j ACCEPT

    iptables -A OUTPUT -o $PUB_IFACE -p tcp \
             -s $PUB_IP --sport $EPHEMERAL_PORTS \
             -d $IP --dport 53 \
             -m state --state NEW -j ACCEPT
  fi

  iptables -A OUTPUT -o $PUB_IFACE -p udp \
           -s $PUB_IP --sport $EPHEMERAL_PORTS \
           -d $IP --dport 53 -j ACCEPT

  iptables -A OUTPUT -o $PUB_IFACE -p tcp \
           -s $PUB_IP --sport $EPHEMERAL_PORTS \
           -d $IP --dport 53 -j ACCEPT

  iptables -A INPUT -i $PUB_IFACE -p udp \
           -s $IP --sport 53 \
           -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

  iptables -A INPUT -i $PUB_IFACE -p tcp ! --syn \
           -s $IP --sport 53 \
           -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

Mind you it is somewhat double. It is something I've gotten used to in
the past. So there are a couple of catch 'em lines just in case the
connection tracking module isn't loaded on that particular host. You
might not need those extra lines.

Grx HdV




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to