[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CNAME, iptables and qmail

* Michal Melewski (mike@pn66.poznan.sdi.tpnet.pl) [020506 11:07]:
> Hello
> Try to add following lines into your firewall script:
> iptables -A INPUT -p udp -i $DEV -s 0/0 --sport 53 -j ACCEPT
> iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP
> iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT
> Works fine with my firewall...

This setup will work fine most of the time, but mysteriously fail when
replies to your DNS queries are long. Your resolver tries to ask udp/53,
but will need to connect to tcp/53 if the result is longer than can fit
in a single udp packet.

Basically, what all that means is that you also need to allow like this:

iptables -A INPUT -p tcp -i $DEV -s 0/0 --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -i $DEV -d 0/0 --dport 53 -j ACCEPT

to match the style of your rules above. I'd be more inclined to do it
this way, though:

iptables -A INPUT -j ACCEPT \
	-m state --state ESTABLISHED \
	-p tcp -s $MY_NAMESERVER --sport 53 -d $MY_EXT_IP
iptables -A OUTPUT -j ACCEPT \
	-p tcp -d $MY_EXT_IP --dport 53 -d $MY_NAMESERVER

... but that's just me. Also, I'm already using connection tracking for
NAT anyway.

good times,
Currently seeking opportunities in the SF Bay Area
Please see http://www.doorstop.net/resume.shtml

Attachment: pgpLkwWEoilgP.pgp
Description: PGP signature

Reply to: