[sclug] iptables
Matt
matt at bodgit-n-scarper.com
Sat Aug 7 13:28:56 UTC 2004
On Sat, 2004-08-07 at 13:42, Tom Dawes-Gamble wrote:
> Okay you iptables gurus.
>
> I'm having problems configuring iptables on my name server.
>
> Want I really want to do is as follows.
>
> dns.tmdg.co.uk updates the two real name servers for the domain
> ns1.dns.houxou.com and ns2.dns.houxou.com.
> dns.tmdg.co.uk will answer requests from rg.tmdg.co.uk.
> dns.tmdg.co.uk will answer requests from sn.tmdg.co.uk.
By 'updates', do you mean ns[12].dns.houxou.com perform zone transfers
against you?
> Now with iptables off everything is fine but as soon as I turn on
> iptables thats it no access to the name server.
>
> with iptables --list on I get :-
>
> Chain MY-Input (2 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp
> spt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:domain flags:SYN,RST,ACK/SYN
> ACCEPT all -- anywhere anywhere
> ACCEPT udp -- dns.tmdg.co.uk anywhere udp spt:domain
> ACCEPT udp -- ns1.dns.houxou.com anywhere udp
> spt:domain
> ACCEPT udp -- ns2.dns.houxou.com anywhere udp
> spt:domain
> ACCEPT udp -- rg.tmdg.co.uk anywhere udp
> spt:domain
> REJECT tcp -- anywhere anywhere tcp
> flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhere udp
> reject-with icmp
>
> There is more bu tI chopped that out. :-)
Hmm, that probably doesn't help ;-) I can see this My-Input chain is
referenced by two other chains, but I can't see if there's a more
restrictive rule beforehand that might be blocking the traffic,
especially as DNS queries *might* use a privileged source port, (you
could be enforcing an unprivileged source port prior to reaching this
chain).
> To my untrained eye that says I accept any traffic on port 53.
Rule #3 in MY-Input looks to me like a "let anything through" rule, so I
can't believe nothing works.
If you add '-v' to the 'iptables --list', you'll get hit counters
printed as well, which might help you track how far packets are getting.
Matt
More information about the Sclug
mailing list