[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do I configure iptables to allow DNS lookups?

On Wed, 2003-08-06 at 22:02, Malcolm Ferguson wrote:
> I have /etc/resolv.conf containing a nameserver entry.  I also have some 
> name servers listed in the forwarders section of /etc/bind/named.conf.  
> Is there a way to configure both bind and the normal name resolver (how 
> does it work???) to always use the same port?  Or, do I have to add a 
> rule to the INPUT chain that ACCEPTS anything UDP from the name server?  
> Obviously the name server isn't on the local LAN.

>From /etc/bind/named.conf (Debian box):

  // If there is a firewall between you and nameservers you want
  // to talk to, you might need to uncomment the query-source
  // directive below.  Previous versions of BIND always asked
  // questions using port 53, but BIND 8.1 and later use an unprivileged
  // port by default.

  query-source address * port 53;

This will force BIND to use 53 as the source port, as well as the
destination.  You can then use something like the following in
your iptables script.

iptables -A INPUT -s <ip of first forwarder> --sport 53 --dport 53 -p
udp -i <interface> -j ACCEPT
iptables -A INPUT -s <ip of second forwarder> --sport 53 --dport 53 -p
udp -i <interface> -j ACCEPT

and maybe a matching set with "-p tcp".

That should allow responses back through the firewall, though you
should be able to do the same with "ESTABLISHED,RELATED".


Jeremy L. Gaddis   <jeremy@gaddis.org>   <http://www.gaddis.org>

Reply to: