1. Home
  2. Networking Firewalls
  3. What iptables rules to allow name service?

What iptables rules to allow name service?

Beginner's question on iptables firewalls...

Can you all help me set up a proper set of iptables rules to allow name service to run on my server?

I have:

-A INPUT -p udp --sport 53 -j ACCEPT

-A INPUT -p udp --dport 53 -j ACCEPT

-A INPUT -p tcp --sport 53 -j ACCEPT

-A INPUT -p tcp --dport 53 -j ACCEPT

-A INPUT -p udp --sport 1024:65535 -j ACCEPT

-A INPUT -p udp --dport 1024:65535 -j ACCEPT

FORWARD rules are set up the same as INPUT rules.

OUTPUT rules allow everything except telnet.

External hosts trying to access the name server (that is running on this host) can't get to it. If I turn off iptables (with /etc/rc.d/init.d/iptables stop), then name service works fine.

What am I missing?

Also, I'm wondering if I really need to open up the whole range of

1024-65535. I'm told that name service uses some random port in that range for a "reply" port but it seems like asking a bit much to have to open up that whole range.

Thanks...

Reply to
C. J. Clegg
Loading thread data ...

Ummm... why do you want to allow inbound connections to or from port 53 and any port above 1023 to your LAN? And why do you need DNS in the FORWARD chain anyway? The clients on your LAN should use your nameserver and your nameserver should forward these requests.

No, you don't. You need to make use of connection states.

Very incomplete snippet:

----88----

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Good morning, Ansgar.

Actually, there is no LAN... the iptables firewall on this host protects only its host (i.e. the host is not a router).

I'm not sure if that makes any difference regarding your question. :-)

Beats me. I guess I don't. :-)

I'm REALLY new at this firewall stuff as you can tell.

OK, so the fact that DNS replies on one of the ephemeral ports doesn't require me to open up all the ephemeral ports?

(I have since discovered that the ephemeral port range on this particular machine is a lot less than 1024-65535, something like 49152-65535 if I recall correctly.)

I will try the snippet you provided.

Thanks... :-)

Reply to
C. J. Clegg

These lines are both the same. Shouldn't one of them be --sport?

Reply to
C. J. Clegg

Ah, copy/paste error on my part. The second line should read "-p tcp" of course.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Then you should DROP everything in the FORWARD chain and disable IP forwarding.

[...]

Correct.

Then I suggest you start with the HOWTOs/tutorials on [1,2].

[1]
formatting link
formatting link
cu 59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Disabling IP forwarding is done by setting /proc/sys/net/ipv4/ip_forward to 0, right? (That is the default boot-up value anyway.)

So if I'm not doing any IP forwarding, then I don't need a FORWARD chain at all, right?

Actually, I have some virtual hosts on that machine to serve web pages from different domains. Do I need to FORWARD traffic to/from them? Note that /proc/sys/net/ipv4/ip_forward has always been set to 0 yet the virtual-host web servers all work as they should.

Thanks, I will study them.

Reply to
C. J. Clegg

Yes.

I prefer to set it in my firewall scripts, to make it explicit.

Yes.

No.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.