Re: How do I configure iptables to allow DNS lookups?
On Thu, 7 Aug 2003, Malcolm Ferguson wrote:
> If I understand what I've just read from a Google search, TCP is used
> when the data exceeds 512 bytes (or as you say, for zone transfers). Is
> this always to TCP port 53 on the server, or can the server indicate an
> alternative port in it's initial UDP responsive?
Always 53.
> What is $EPHEMERAL_PORTS defined as? "1024:" or "1024:65535" perhaps?
The latter.
> What is $IP defined as? I presume the IP address of the name server.
Yep. Actually it is only one IP from a list of 'em. That way I can say
somthing like
DNS_SERVERS="ip1 ip2 ip3"
> This might be a dumb question
There is no such question as a dumb question. `;-)
There are people who don't read before asking a question, but
your question is a very reasonable one.
> as I've only just started reading about
> stateful packet filtering this morning... is there a reason why you
> don't use the connection tracking for INPUT chain?
This snippet was not the full monty. If you want to see the full
script go to
http://huizen.dto.tudelft.nl/devries/security/iptables_example.nl.html
for an explanation and to
http://huizen.dto.tudelft.nl/devries/files/iptables_files.tar.gz
for the archive. Currently there's only a Dutch explanation available,
but I am translating it into English for another reader of the debian lists.
I expect to have it available this weekend. I'll post the new link then.
'Til then you should be able to figure things out from the shell-scripts
in the archive.
> This might be another dumb question, but how do I tell if the connection
> tracking module isn't loaded? How is this configured, enabled,
> disabled, etc?
lsmod should give ip_conntrack in it's listing. Please refer to the URLs
given above for the full code. It is well-commented so you shouldn't
have any trouble to use that as an example.
Grx HdV
P.S. I am on the list so you can reply to the list only and I'll see you
messages. If I can I'll try to answer them (sometimes I am a bit short
on time though...)
Reply to: