iptables & port 53 (DNS) | Unix Linux Forums | Red Hat

  Go Back    


Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions.

iptables & port 53 (DNS)

Red Hat


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 04-17-2012
Duffs22 Duffs22 is offline
Registered User
 
Join Date: Jul 2011
Last Activity: 31 January 2014, 5:16 AM EST
Posts: 112
Thanks: 18
Thanked 1 Time in 1 Post
iptables & port 53 (DNS)

Hi,

I have a newly built RHEL5 OS that is unable to talk to the DNS server. I am unable to telnet resolv.conf entry over port 53 but apparently this port has been opened.


Code:
# telnet 209.212.96.1 53

and.....


Code:
# dig www.google.com
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.google.com
;; global options: printcmd
;; connection timed out; no servers could be reached

I can only assume therefore that this is a server issue.

So, I have added the following entry to my iptables:


Code:
# iptables -A INPUT -s 41.181.59.124/29 -d 209.212.96.1 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
 
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination 
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 
ACCEPT tcp -- 41.181.59.120/29 0.0.0.0/0 state NEW tcp dpt:53 
ACCEPT tcp -- 41.181.59.120/29 209.212.96.1 state NEW tcp dpt:53

But still unable to telnet to the nameserver over port 53.

Can anybody provide any pointers to what I can try next?

R,
D.

Last edited by Duffs22; 04-17-2012 at 08:42 AM..
Sponsored Links
    #2  
Old 04-17-2012
jnojr's Avatar
jnojr jnojr is offline
Registered User
 
Join Date: Feb 2012
Last Activity: 24 March 2014, 6:23 PM EDT
Location: San Diego, CA
Posts: 60
Thanks: 3
Thanked 2 Times in 2 Posts
DNS is UDP... you need to allow the DNS server to talk back to the client on UDP 53
Sponsored Links
    #3  
Old 04-17-2012
Duffs22 Duffs22 is offline
Registered User
 
Join Date: Jul 2011
Last Activity: 31 January 2014, 5:16 AM EST
Posts: 112
Thanks: 18
Thanked 1 Time in 1 Post
I have added the following:


Code:
# iptables -A INPUT -s 41.181.59.124/29 -d 209.212.96.1 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

..........but still unable to reach the internet.
    #4  
Old 04-17-2012
neutronscott's Avatar
neutronscott neutronscott is offline Forum Advisor  
script kiddie
 
Join Date: Jun 2011
Last Activity: 18 April 2014, 2:16 PM EDT
Location: McMurdo Station, Antarctica
Posts: 745
Thanks: 25
Thanked 215 Times in 202 Posts
Still hard to tell. This is iptables from client, not server, but you use dport 53... It would be sport at INPUT. Also you've an entire chain before these rules. Need output of iptables -S
Sponsored Links
    #5  
Old 04-17-2012
Duffs22 Duffs22 is offline
Registered User
 
Join Date: Jul 2011
Last Activity: 31 January 2014, 5:16 AM EST
Posts: 112
Thanks: 18
Thanked 1 Time in 1 Post
No "-S" option on RHEL5. I've listed the tables instead:


Code:
# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  41.181.59.120/29     209.212.96.1        state NEW udp dpt:53 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53

R,
D.
Sponsored Links
    #6  
Old 04-17-2012
in2nix4life's Avatar
in2nix4life in2nix4life is offline
Registered User
 
Join Date: Oct 2007
Last Activity: 18 April 2014, 3:11 PM EDT
Location: East Coast
Posts: 562
Thanks: 0
Thanked 160 Times in 146 Posts
Couple of questions?

Without the firewall, do you have connectivity to the DNS server?

What do the logs show with iptables running when you attempt the connection?
Sponsored Links
    #7  
Old 04-17-2012
neutronscott's Avatar
neutronscott neutronscott is offline Forum Advisor  
script kiddie
 
Join Date: Jun 2011
Last Activity: 18 April 2014, 2:16 PM EDT
Location: McMurdo Station, Antarctica
Posts: 745
Thanks: 25
Thanked 215 Times in 202 Posts
-L isn't enough. Otherwise I'd assume everything is accepted due to the first rule in RH-Firewall-1-INPUT, ... -L -v -n would be better..

But those are rather restrictive rules. You still would want to add new ones to the top rather than the bottom, use -I instead of -A
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Iptables Nat forward port 29070 titoms Debian 0 02-14-2012 03:44 AM
Ip And Port Divertion Through Iptables kgrvamsi UNIX for Advanced & Expert Users 0 05-11-2011 10:16 AM
copy packets from one port to another by iptables yanat UNIX for Advanced & Expert Users 1 04-12-2011 12:46 PM
Using iptables to allow only certain IPs for a Port netxus UNIX for Dummies Questions & Answers 0 02-23-2010 08:36 PM
iptables: forwarding a port meeps UNIX for Dummies Questions & Answers 1 11-23-2003 02:37 AM



All times are GMT -4. The time now is 12:40 AM.