Re: Definitive iptables configuration for DNS cache?
From: Glen Cook (some@guy.com)
Date: 01/30/03
- Previous message: al: "vsftp"
- In reply to: sPh: "Definitive iptables configuration for DNS cache?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Glen Cook" <some@guy.com> Date: Thu, 30 Jan 2003 05:18:09 GMT
"sPh" <sphealey@worldnet.att.net> wrote in message
news:a1e85ad4.0301281759.2b5cfdeb@posting.google.com...
> I have dnscache working fine on the host running the cache, but I
> cannot get any other hosts to connect when the firewall is running.
> If I disable the firewall then they can connect.
>
If I had to guess, I'd probably say you probably just need a better
understanding of how DNS works. DNS is a little different than other
protocols, like HTTP. Specifically, the fact that DNS normally tries to use
UDP for queries, not TCP. As such, when you receive the answer, it is in a
UDP packet as well. Therefore opening your firewall to TCP port 53 and using
established, related rules will not work. The notion of established, related
connections doesn't apply to UDP packets. You'll need an explicit rule for
the DNS packets going in both directions (particularily the responses).
Something like:
/sbin/iptables -A OUPUT -i eth0 -p udp -s 0/0 -d 0/0 --destination-port
53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp -s 0/0 --source-port 53 -d 0/0 -j
ACCEPT
depending on exactly how you're filtering things.
You may also want to include TCP rules as well, as DNS may use TCP sessions
if the reply to the query is too large for a single UDP packet.
Don't know if this is your particular problem, but I've seen this be the
case before.]
Glen
- Next message: al: "Re: vsftp"
- Previous message: al: "vsftp"
- In reply to: sPh: "Definitive iptables configuration for DNS cache?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
