iptables blocks dns
Posted by agriz on 2011/12/8 19:04:18
When i stop iptables
Server: dns ip
Address: dns ip#53
Non-authoritative answer:
Name: site.com
Address: ipaddress
When i start iptables,
;; connection timed out; no servers could be reached
Why does iptables blocks dns?
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I OUTPUT 1 -o lo -j ACCEPT
//ssh
iptables -A INPUT -i eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
This is what i entered in iptables.
nslookup site.com
Server: dns ip
Address: dns ip#53
Non-authoritative answer:
Name: site.com
Address: ipaddress
When i start iptables,
;; connection timed out; no servers could be reached
Why does iptables blocks dns?
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I OUTPUT 1 -o lo -j ACCEPT
//ssh
iptables -A INPUT -i eth0 -p tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
This is what i entered in iptables.
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 20:31:48
Quote:
If these rules are on a DNS server then they are the wrong way round (your INPUT rule should be your OUTPUT rule and vice versa).
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
If these rules are on a DNS server then they are the wrong way round (your INPUT rule should be your OUTPUT rule and vice versa).
Re: iptables blocks dns
Posted by agriz on 2011/12/8 20:49:45
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
Yes, I have these rules in iptables. Are those wrong rules?
Is this correct then?
iptables -A INPUT -p udp -i eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 53 --dport 1024:65535 -j ACCEPT
DNS Server
-- where can i check it? 
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 21:01:31
If you have a DNS server then it is accepting UDP packets on port 53 so the destination (--dport) needs to be 53 on the INPUT chain.
Re: iptables blocks dns
Posted by agriz on 2011/12/8 21:10:59
I am not much sure about dns server. 
It is just a simple website.
nslookup site.com
is giving me the error when i start iptables.
also, who.is dns search is not displaying any info about the site.
But if i stop iptables, it is working normally. who.is is displaying result.s
Do i need any rules to allow name server via iptables?
It is just a simple website.
nslookup site.com
is giving me the error when i start iptables.
also, who.is dns search is not displaying any info about the site.
But if i stop iptables, it is working normally. who.is is displaying result.s
Do i need any rules to allow name server via iptables?
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 21:20:00
It'll really help if you give examples, preferably with cut'n'paste output of the commands you ran and the results you got vs the results you expected.
Whois is not DNS and does not use port 53 but 43 - `grep whois /etc/services` would show you some clues about that.
Whois is not DNS and does not use port 53 but 43 - `grep whois /etc/services` would show you some clues about that.
Re: iptables blocks dns
Posted by agriz on 2011/12/8 21:28:12
nicname 43/tcp whois
nicname 43/udp whois
whois++ 63/tcp
whois++ 63/udp
rwhois 4321/tcp # Remote Who Is
rwhois 4321/udp # Remote Who Is
This is what i run when iptables status is "start"
nslookup my-website.com
Output :
;; connection timed out; no servers could be reached
nslookup my-ip-address
Server: 4.2.2.2
Address: 4.2.2.2#53
** server can't find xx.xx.xx.xx.in-addr.arpa.: NXDOMAIN
Now i truned of iptables "service iptables stop"
nslookup my-website.com
Output :
Server: 4.2.2.2
Address: 4.2.2.2#53
Non-authoritative answer:
Name: webiste.com
Address: my-ip.address
Re: iptables blocks dns
Posted by agriz on 2011/12/8 21:30:49
iptables -L -n -v
[code]
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
17 1090 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 state NEW,ESTABLISHED
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,RELATED,ESTABLISHED
1 60 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:1234 state ESTABLISHED
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 200 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:1234 state ESTABLISHED
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 icmp type 8 state RELATED,ESTABLISHED
15 15404 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:10000 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:21 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 state NEW,ESTABLISHED
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
1
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 21:46:43
First, your OUTPUT policy is ACCEPT so you can delete all of the rules you have there now as none of them are required.
Can you post the output from `iptables-save` as that's much easier to read than the version you posted.
Can you post the output from `iptables-save` as that's much easier to read than the version you posted.
Re: iptables blocks dns
Posted by agriz on 2011/12/8 21:52:03
I had the output policy to deny. But i was having problems with wget, curl and yum
Temporarily i have changed the deny to accept. Before finding a solution, i got problem with name server.
When i turn on iptables, site is not loading.
This is the output of iptables-save
1234 is my ssh
10000 is webmin control panel
Temporarily i have changed the deny to accept. Before finding a solution, i got problem with name server.
When i turn on iptables, site is not loading.
This is the output of iptables-save
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [26:2884]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 1234 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 10000 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
COMMIT
# Completed on Fri Dec 9 03:18:50 2011
# Generated by iptables-save v1.4.7 on Fri Dec 9 03:18:50 2011
*mangle
:PREROUTING ACCEPT [40:22161]
:INPUT ACCEPT [40:22161]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40:3964]
:POSTROUTING ACCEPT [40:3964]
COMMIT
# Completed on Fri Dec 9 03:18:50 2011
# Generated by iptables-save v1.4.7 on Fri Dec 9 03:18:50 2011
*nat
:PREROUTING ACCEPT [6:265]
:POSTROUTING ACCEPT [5:356]
:OUTPUT ACCEPT [5:356]
COMMIT
# Completed on Fri Dec 9 03:18:50 2011
1234 is my ssh
10000 is webmin control panel
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 22:18:00
I think you are making this way too complicated. If you want to set your OUTPUT policy to DENY then I would set up a bare minimum of rules, for example
That's simple and needs the last rule repeated per output port that you want to allow connections through to. It also allows all outgoing requests in response to packets that have already been allowed. The INPUT side of that is now handled by
You don't need separate input rules for accepting the replies to things that have been allowed out as they're allowed by the 2nd rule above. The things you want on your INPUT chain are for services that you have running on the machine - so, yes, port 1234 wants one like
This allows the initial connection (optionally from -s my.source.ip.addresses ) and subsequent traffic is allowed in and out by the RELATED,ESTABLISHED rules on input and output chains.
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
That's simple and needs the last rule repeated per output port that you want to allow connections through to. It also allows all outgoing requests in response to packets that have already been allowed. The INPUT side of that is now handled by
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
You don't need separate input rules for accepting the replies to things that have been allowed out as they're allowed by the 2nd rule above. The things you want on your INPUT chain are for services that you have running on the machine - so, yes, port 1234 wants one like
-A INPUT -i eth0 -p tcp [-s my.source.ip.addresses ] -m state --state NEW -m tcp --dport 1234 - j ACCEPT
This allows the initial connection (optionally from -s my.source.ip.addresses ) and subsequent traffic is allowed in and out by the RELATED,ESTABLISHED rules on input and output chains.
Re: iptables blocks dns
Posted by agriz on 2011/12/8 22:32:45
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
//output settings
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
//input settings
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
//ssh settings
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1234 - j ACCEPT
Is this correct?
When i add drop to default, will i lost my ssh immediately or will it execute the shell script till the end?
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 22:43:55
Quote:
If you have doubts about that then you need to take steps to make sure that it doesn't happen - you could run it under `screen` for example so if you lose your connection then you haven't lost your session, or you could run a script using `nohup scriptname &`. Whichever way you do it you need to know that you are not about to lock yourself out permanently!
If you have services running on this machine that are listening on particular ports then you need an INPUT rule for each one. Your rules only allow for port 1234 at the moment - didn't you say you had webmin on port 10000 too? You seem to have added that to the output rules instead. Unless you are making outbound connection attempts to other servers that are running ssh on port 1234 then the output rule you have for that is useless too.
When i add drop to default, will i lost my ssh immediately or will it execute the shell script till the end?
If you have doubts about that then you need to take steps to make sure that it doesn't happen - you could run it under `screen` for example so if you lose your connection then you haven't lost your session, or you could run a script using `nohup scriptname &`. Whichever way you do it you need to know that you are not about to lock yourself out permanently!
If you have services running on this machine that are listening on particular ports then you need an INPUT rule for each one. Your rules only allow for port 1234 at the moment - didn't you say you had webmin on port 10000 too? You seem to have added that to the output rules instead. Unless you are making outbound connection attempts to other servers that are running ssh on port 1234 then the output rule you have for that is useless too.
Re: iptables blocks dns
Posted by agriz on 2011/12/8 22:53:08
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
//output settings
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
//input settings
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
//ssh settings
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
Yes, I have the following service running in server httpd, sendmail, webmin, https, mysqld
Now i have made changes in input settings.
Do i need to create new state for every output port?
will the above settings allow curl other sites with port 80, yum and wget?
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 23:17:22
Quote:
Yes.
Quote:
If you set the output policy to DROP then you need to explicitly allow the ports to which you want to make outbound connections. Other ports opened by the same connection or related to it will be allowed too by virtue of the RELATED,ESTABLISHED rules.
With the rules you have at the moment, you'll be able to connect to other web sites and SMTP servers from this machine. It also allows you to connect to your webmin port on other servers but I suspect you just didn't get around to removing that yet. You're also allowing traffic to your server from others on http[s], SMTP, relocated ssh and Webmin ports. Any traffic related to those connections is also allowed.
Since you started this thread about DNS you will need to allow outbound traffic on destination port 53, both UDP and TCP. Whois traffic is on port 43.
will the above settings allow curl other sites with port 80, yum and wget?
Yes.
Quote:
Do i need to create new state for every output port?
If you set the output policy to DROP then you need to explicitly allow the ports to which you want to make outbound connections. Other ports opened by the same connection or related to it will be allowed too by virtue of the RELATED,ESTABLISHED rules.
With the rules you have at the moment, you'll be able to connect to other web sites and SMTP servers from this machine. It also allows you to connect to your webmin port on other servers but I suspect you just didn't get around to removing that yet. You're also allowing traffic to your server from others on http[s], SMTP, relocated ssh and Webmin ports. Any traffic related to those connections is also allowed.
Since you started this thread about DNS you will need to allow outbound traffic on destination port 53, both UDP and TCP. Whois traffic is on port 43.
Re: iptables blocks dns
Posted by agriz on 2011/12/8 23:30:32
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
//output settings
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
//input settings
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
//ssh settings
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
Is it now correct rule?
I am just running a simple website with curl usage.
Suggest me if i am wrong.
..
I was using this site to check the dns status
http://who.is/dns/google.com
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 23:40:30
Quote:
Personally I would omit the --sport from the rules and you do not need ESTABLISHED at all as you already have a rule to handle that.
You've also removed the output rules that let outbound SMTP traffic out of your machine which means that no emails will be sent out from this box. The same applies to port 443 outbound and this might be required as I believe some yum update mirrors are accessible over https (not 100% sure on that).
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
Personally I would omit the --sport from the rules and you do not need ESTABLISHED at all as you already have a rule to handle that.
You've also removed the output rules that let outbound SMTP traffic out of your machine which means that no emails will be sent out from this box. The same applies to port 443 outbound and this might be required as I believe some yum update mirrors are accessible over https (not 100% sure on that).
Re: iptables blocks dns
Posted by agriz on 2011/12/8 23:46:39
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
Is that correct rule?
I got it for output now
Thanks for teaching me.
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
Do i need this above rule in the input side?
Server is not going to receive any mails. It is just going to send mails.
Thanks again!
Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 23:52:38
Quote:
Yes, that looks fine.
Quote:
If you are not running an email server accepting mails from outside then there is no reason to have this rule and every reason to delete it!
agriz wrote:
Is that correct rule?
Yes, that looks fine.
Quote:
Do i need this above rule in the input side?
Server is not going to receive any mails. It is just going to send mails.
If you are not running an email server accepting mails from outside then there is no reason to have this rule and every reason to delete it!
Re: iptables blocks dns
Posted by agriz on 2011/12/8 23:54:29
If you are not running an email server accepting mails from outside then there is no reason to have this rule and every reason to delete it!
Thanks for you help.
I will run add those rules in iptables and i will update the status!
This Post was from: https://www.centos.org/newbb/viewtopic.php?forum=55&topic_id=34640