[sclug] iptables

Matt matt at bodgit-n-scarper.com
Sat Aug 7 13:28:56 UTC 2004 

On Sat, 2004-08-07 at 13:42, Tom Dawes-Gamble wrote:
> Okay you iptables gurus.  
> 
> I'm having problems configuring iptables on my name server.
> 
> Want I really want to do is as follows.
> 
> dns.tmdg.co.uk updates the two real name servers for the domain
> 	ns1.dns.houxou.com and ns2.dns.houxou.com.
> dns.tmdg.co.uk will answer requests from rg.tmdg.co.uk.
> dns.tmdg.co.uk will answer requests from sn.tmdg.co.uk.

By 'updates', do you mean ns[12].dns.houxou.com perform zone transfers
against you?

> Now with iptables off  everything is fine  but as soon as I turn on
> iptables thats it no access to the name server.  
> 
> with iptables --list on I get :-
> 
> Chain MY-Input (2 references)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere           udp
> spt:domain
> ACCEPT     tcp  --  anywhere             anywhere           tcp
> dpt:domain flags:SYN,RST,ACK/SYN
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     udp  --  dns.tmdg.co.uk    anywhere           udp spt:domain
> ACCEPT     udp  --  ns1.dns.houxou.com   anywhere           udp
> spt:domain
> ACCEPT     udp  --  ns2.dns.houxou.com   anywhere           udp
> spt:domain
> ACCEPT     udp  --  rg.tmdg.co.uk        anywhere           udp
> spt:domain
> REJECT     tcp  --  anywhere             anywhere           tcp
> flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
> REJECT     udp  --  anywhere             anywhere           udp
> reject-with icmp
> 
> There is more bu tI chopped that out. :-)

Hmm, that probably doesn't help ;-) I can see this My-Input chain is
referenced by two other chains, but I can't see if there's a more
restrictive rule beforehand that might be blocking the traffic,
especially as DNS queries *might* use a privileged source port, (you
could be enforcing an unprivileged source port prior to reaching this
chain).

> To my untrained eye that says I accept any traffic on port 53.

Rule #3 in MY-Input looks to me like a "let anything through" rule, so I
can't believe nothing works.

If you add '-v' to the 'iptables --list', you'll get hit counters
printed as well, which might help you track how far packets are getting.

Matt

More information about the Sclug mailing list