[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


I have a firewall which allows ESTABLISHED,RELATED packets on INPUT,
and port 53/udp on OUTPUT. Now, if I query for a DNS name, the
packet leaves the machine, but the reply is usually dropped:

  [INPUT]: IN=ppp0 OUT= MAC= SRC= DST=
  LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=9949 PROTO=UDP SPT=53
  DPT=16468 LEN=48 

Here are the relevant rules:

  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m conntrack --ctstate INVALID -j DROP

  -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[INPUT]: "


I always have to add specific udp sport rules for all nameservers,
which is a pain, and which should not be required.

What am I doing wrong?

(Note that I get the same results with '-m state' instead of '-m


Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: