iptables & port 53 (DNS) | Unix Linux Forums | Red Hat

  Unix/Linux Go Back    


Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

iptables & port 53 (DNS)

Red Hat


Closed Linux or Unix Question    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 04-17-2012
Duffs22 Duffs22 is offline
Registered User
 
Join Date: Jul 2011
Last Activity: 4 March 2015, 7:31 AM EST
Posts: 113
Thanks: 18
Thanked 1 Time in 1 Post
iptables & port 53 (DNS)

Hi,

I have a newly built RHEL5 OS that is unable to talk to the DNS server. I am unable to telnet resolv.conf entry over port 53 but apparently this port has been opened.


Code:
# telnet 209.212.96.1 53

and.....


Code:
# dig www.google.com
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.google.com
;; global options: printcmd
;; connection timed out; no servers could be reached

I can only assume therefore that this is a server issue.

So, I have added the following entry to my iptables:


Code:
# iptables -A INPUT -s 41.181.59.124/29 -d 209.212.96.1 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
 
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination 
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 
ACCEPT tcp -- 41.181.59.120/29 0.0.0.0/0 state NEW tcp dpt:53 
ACCEPT tcp -- 41.181.59.120/29 209.212.96.1 state NEW tcp dpt:53

But still unable to telnet to the nameserver over port 53.

Can anybody provide any pointers to what I can try next?

R,
D.

Last edited by Duffs22; 04-17-2012 at 08:42 AM..
Sponsored Links
    #2  
Old Unix and Linux 04-17-2012
jnojr's Unix or Linux Image
jnojr jnojr is offline
Registered User
 
Join Date: Feb 2012
Last Activity: 12 August 2014, 2:37 PM EDT
Location: San Diego, CA
Posts: 61
Thanks: 3
Thanked 2 Times in 2 Posts
DNS is UDP... you need to allow the DNS server to talk back to the client on UDP 53
Sponsored Links
    #3  
Old Unix and Linux 04-17-2012
Duffs22 Duffs22 is offline
Registered User
 
Join Date: Jul 2011
Last Activity: 4 March 2015, 7:31 AM EST
Posts: 113
Thanks: 18
Thanked 1 Time in 1 Post
I have added the following:


Code:
# iptables -A INPUT -s 41.181.59.124/29 -d 209.212.96.1 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

..........but still unable to reach the internet.
    #4  
Old Unix and Linux 04-17-2012
neutronscott's Unix or Linux Image
neutronscott neutronscott is offline Forum Advisor  
script kiddie
 
Join Date: Jun 2011
Last Activity: 23 February 2015, 11:01 AM EST
Location: McMurdo Station, Antarctica
Posts: 822
Thanks: 28
Thanked 246 Times in 232 Posts
Still hard to tell. This is iptables from client, not server, but you use dport 53... It would be sport at INPUT. Also you've an entire chain before these rules. Need output of iptables -S
Sponsored Links
    #5  
Old Unix and Linux 04-17-2012
Duffs22 Duffs22 is offline
Registered User
 
Join Date: Jul 2011
Last Activity: 4 March 2015, 7:31 AM EST
Posts: 113
Thanks: 18
Thanked 1 Time in 1 Post
No "-S" option on RHEL5. I've listed the tables instead:


Code:
# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  41.181.59.120/29     209.212.96.1        state NEW udp dpt:53 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53

R,
D.
Sponsored Links
    #6  
Old Unix and Linux 04-17-2012
in2nix4life's Unix or Linux Image
in2nix4life in2nix4life is offline
Registered User
 
Join Date: Oct 2007
Last Activity: 9 March 2015, 3:43 PM EDT
Location: East Coast
Posts: 618
Thanks: 1
Thanked 177 Times in 163 Posts
Couple of questions?

Without the firewall, do you have connectivity to the DNS server?

What do the logs show with iptables running when you attempt the connection?
Sponsored Links
    #7  
Old Unix and Linux 04-17-2012
neutronscott's Unix or Linux Image
neutronscott neutronscott is offline Forum Advisor  
script kiddie
 
Join Date: Jun 2011
Last Activity: 23 February 2015, 11:01 AM EST
Location: McMurdo Station, Antarctica
Posts: 822
Thanks: 28
Thanked 246 Times in 232 Posts
-L isn't enough. Otherwise I'd assume everything is accepted due to the first rule in RH-Firewall-1-INPUT, ... -L -v -n would be better..

But those are rather restrictive rules. You still would want to add new ones to the top rather than the bottom, use -I instead of -A
Sponsored Links
Closed Linux or Unix Question

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Unix or Linux Image More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Iptables Nat forward port 29070 titoms Debian 0 02-14-2012 03:44 AM
Ip And Port Divertion Through Iptables kgrvamsi UNIX for Advanced & Expert Users 0 05-11-2011 10:16 AM
copy packets from one port to another by iptables yanat UNIX for Advanced & Expert Users 1 04-12-2011 12:46 PM
Using iptables to allow only certain IPs for a Port netxus Fedora 0 02-23-2010 08:36 PM
iptables: forwarding a port meeps UNIX for Dummies Questions & Answers 1 11-23-2003 02:37 AM



All times are GMT -4. The time now is 05:23 AM.