Re: How do I configure iptables to allow DNS lookups?
On Wed, 2003-08-06 at 22:02, Malcolm Ferguson wrote:
> I have /etc/resolv.conf containing a nameserver entry. I also have some
> name servers listed in the forwarders section of /etc/bind/named.conf.
> Is there a way to configure both bind and the normal name resolver (how
> does it work???) to always use the same port? Or, do I have to add a
> rule to the INPUT chain that ACCEPTS anything UDP from the name server?
> Obviously the name server isn't on the local LAN.
>From /etc/bind/named.conf (Debian box):
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
query-source address * port 53;
This will force BIND to use 53 as the source port, as well as the
destination. You can then use something like the following in
your iptables script.
iptables -A INPUT -s <ip of first forwarder> --sport 53 --dport 53 -p
udp -i <interface> -j ACCEPT
iptables -A INPUT -s <ip of second forwarder> --sport 53 --dport 53 -p
udp -i <interface> -j ACCEPT
and maybe a matching set with "-p tcp".
That should allow responses back through the firewall, though you
should be able to do the same with "ESTABLISHED,RELATED".
HTH,
j.
--
Jeremy L. Gaddis <jeremy@gaddis.org> <http://www.gaddis.org>
Reply to: