Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

iptables DNS issues

Status
Not open for further replies.
macphisto

macphisto

Technical User
May 10, 2001
15
ZA
Hi all,
this is my iptables script.
---start-----
#!/bin/sh

LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"


# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains
$IPTABLES --flush

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies
#$IPTABLES --policy INPUT DROP
#$IPTABLES --policy OUTPUT DROP
#$IPTABLES --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state --state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state --state NEW -j ACCEPT

# Allow Squid to proxy http, https
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state --state
NEW -j ACCEPT

----end script --

I' having problems with DNS , it seems the firewall machine cannot connect to the internet and cannot do dns query's if i change the the default to ACCEPT it work ?

can someone help me ?
 
Sort by date Sort by votes
Add a rule for the output chain, and if you are doing local DNS also for the input chain for UDP 53 and see if that helps.
 
Upvote 0 Downvote
On the internet side:

$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state --state NEW -j ACCEPT

and for the lan side:

$IPTABLES -A INPUT -i $LAN -p udp --destination-port 53 -m state --state NEW -j ACCEPT


That should allow your clients to query the firewall box, and the firewall box to query the internet.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

spamjim
  • Locked
  • Question
Sorting out NTFS filesystem issues
Replies
0
Views
136
spamjim
spamjim
RedLinux
  • Locked
  • Question
Login session issues with HTTP headers
Replies
0
Views
77
RedLinux
RedLinux
yarafatin
  • Locked
  • Question
Apache error log - DNS lookup failure for: hostname
Replies
5
Views
188
yarafatin
yarafatin
fzx5v0
  • Locked
  • Question
IPTables outgoing firewall rules
Replies
1
Views
106
minicompbx
minicompbx
MichealC4
  • Locked
  • Question
iptables + gre + masquerade = doesn't work?
Replies
1
Views
134
MichealC4
MichealC4

Part and Inventory Search

Sponsor

Back
Top