Re: How do I configure iptables to allow DNS lookups?

To: debian-user@lists.debian.org
Subject: Re: How do I configure iptables to allow DNS lookups?
From: HdV@DTO.TUDelft.NL
Date: Thu, 7 Aug 2003 17:05:39 +0200 (MEST)
Message-id: <[🔎] Pine.GSO.4.44.0308071642520.6995-100000@sanders.rc.tudelft.nl>
In-reply-to: <[🔎] 3F32640E.9020100@yahoo.com>

On Thu, 7 Aug 2003, Malcolm Ferguson wrote:

> If I understand what I've just read from a Google search, TCP is used
> when the data exceeds 512 bytes (or as you say, for zone transfers).  Is
> this always to TCP port 53 on the server, or can the server indicate an
> alternative port in it's initial UDP responsive?

Always 53.

> What is $EPHEMERAL_PORTS defined as?  "1024:" or "1024:65535" perhaps?

The latter.

> What is $IP defined as?  I presume the IP address of the name server.

Yep. Actually it is only one IP from a list of 'em. That way I can say
somthing like

DNS_SERVERS="ip1 ip2 ip3"

> This might be a dumb question

There is no such question as a dumb question. `;-)

There are people who don't read before asking a question, but
your question is a very reasonable one.

> as I've only just started reading about
> stateful packet filtering this morning... is there a reason why you
> don't use the connection tracking for INPUT chain?

This snippet was not the full monty. If you want to see the full
script go to

http://huizen.dto.tudelft.nl/devries/security/iptables_example.nl.html

for an explanation and to

http://huizen.dto.tudelft.nl/devries/files/iptables_files.tar.gz

for the archive. Currently there's only a Dutch explanation available,
but I am translating it into English for another reader of the debian lists.
I expect to have it available this weekend. I'll post the new link then.
'Til then you should be able to figure things out from the shell-scripts
in the archive.

> This might be another dumb question, but how do I tell if the connection
> tracking module isn't loaded?  How is this configured, enabled,
> disabled, etc?

lsmod should give ip_conntrack in it's listing. Please refer to the URLs
given above for the full code. It is well-commented so you shouldn't
have any trouble to use that as an example.

Grx HdV

P.S. I am on the list so you can reply to the list only and I'll see you
messages. If I can I'll try to answer them (sometimes I am a bit short
on time though...)

Reply to:

Follow-Ups:
- Thanks all! - Re: How do I configure iptables to allow DNS lookups?
  - From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>
- Unusual idea..
  - From: "Craig Tinson" <craig@webmarketing.co.uk>

References:
- Re: How do I configure iptables to allow DNS lookups?
  - From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>

Prev by Date: KMail question
Next by Date: Re: How can I get VNC to start a Gnome session?
Previous by thread: Re: How do I configure iptables to allow DNS lookups?
Next by thread: Thanks all! - Re: How do I configure iptables to allow DNS lookups?
Index(es):
- Date
- Thread