Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type three or "host unreachable". My firewall is very strict (I was hacked) and I am controlling sockets. I would like to respond to the DNS servers with this icmp message. I have tried many, many ways but none work, the message keeps on getting dropped. Here is an example rule set for one of the DNS servers:
Here is the rule script:
Here is the resulting script from the firewall log:
To me the firewall is not seeing the icmp rule for some reason. Can anyone see the problem? Thanks for you help!
---------- Post updated at 06:04 PM ---------- Previous update was at 05:36 PM ----------
Well, I'm replying to my own post 10 minutes after writing it. All I needed was a "RELATED" on the state. I was hesitant to use this state as it seems to open a can of worms on some web sites...
I'm trying to insert multiple new lines of text into an iptables script using sed in a while loop. I'm not sure if this is the most effective way. Searching the forums has helped me come up with a good beginning but it's not 100%. I'd like it to search out a unique line in my current iptables file... (2 Replies)
Hi
I have small home network and I want to block some forums on web
When I use this
iptables -A INPUT -s forum -j DROP
rules is applied but when I restart some of PC rules are not present any more also I tried to save firewall settings
iptables-save > /root/dsl.fw
but how to... (2 Replies)
Hello,
I was playing around with iptables to setup an isolated system. On a SLES10 system, I ran the below to setup my first draft of rules. I noticed that the rules come into effect immediately and do not require any restart of iptables.
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -m... (4 Replies)
Could someone help me with writing rules for iptables?
I need a dos attacks protection for a game server.
port type udp
ports 27015:27030
interface: eth0
Accept all packets from all IPs
Chek if IP sent more than 50 packets per second
Drop all packets from this IP for 5 minutes
I would be... (0 Replies)
Hi Gurus,
I need to add Multicast Port = xyz
Multicast Address = 123.134.143 ( example) to my firewall rules. Can you please guide me with the lines I need to update my iptables files with. (0 Replies)
Hi Champs
i am new in Iptables and trying to write rules for my Samba server.I took some help from internet, created one script and run from rc.local :
#Allow loopback
iptables -I INPUT -i lo -j ACCEPT
# Accept packets from Trusted network
iptables -A INPUT -s my-network/subnet -j... (0 Replies)
Hello,
I have iptables service running on my CentOS5 server. It has approx 50 rules right now.
The problem I am facing now is as follows -
I have to define a new chain in the filter table, say DOS_RULES & add all rules in this chain starting from index number 15 in the filter table.
... (1 Reply)
Hi,
I've been struggling with this all morning and seem to have a blind spot on what the problem is. I'm trying to use iptables to block traffic on a little cluster of raspberry pi's but to allow ssh and ping traffic within it.
The cluster has a firewall server with a wifi card connecting to... (4 Replies)
Hello,
I did 2 scripts. The second one is, I hope, more secure.
What do you think?
Basic connection (no server, no router, no DHCP and the Ipv6 is disabled)
#######script one
####################
iptables -F
iptables -X -t filter
iptables -P INPUT DROP
iptables -P FORWARD... (6 Replies)
Discussion started by: Thomas342
6 Replies
LEARN ABOUT DEBIAN
ldns-notify
ldns-notify(1) General Commands Manual ldns-notify(1)NAME
ldns-notify - notify DNS servers that updates are available
SYNOPSIS
ldns-notify [options] -z zone servers
DESCRIPTION
ldns-notify sends a NOTIFY message to DNS servers. This tells them that an updated zone is available at the master servers. It can perform
TSIG signatures and it can add a SOA serial number of the updated zone. If a server already has that serial number it will disregard the
message.
OPTIONS -z zone
The zone that is updated.
-h Show usage and exit
-v Show the version and exit
-s serial
Append a SOA record indicating the serial number of the updated zone.
-p port
Use port as destination port (default the DNS port 53) for the UDP packets.
-y key:data
Use the given TSIG key and base64-data to sign the NOTIFY. Uses the hmac-md5 algorithm.
-d Print verbose debug information. The query that is sent and the query that is received.
-r num Specify the maximum number of retries before notify gives up trying to send the UDP packet.
EXIT CODE
The program exits with a 0 exit code if all servers replied an acknowledgement to the notify message, and a failure exit code otherwise.
AUTHOR
Written by the ldns team as an example for ldns usage.
REPORTING BUGS
Report bugs to <ldns-team@nlnetlabs.nl>.
COPYRIGHT
Copyright (C) 2005 NLnet Labs. This is free software. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR-
POSE.
9 Jan 2007 ldns-notify(1)