[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do I configure iptables to allow DNS lookups?

On Thu, 7 Aug 2003, Malcolm Ferguson wrote:

> If I understand what I've just read from a Google search, TCP is used
> when the data exceeds 512 bytes (or as you say, for zone transfers).  Is
> this always to TCP port 53 on the server, or can the server indicate an
> alternative port in it's initial UDP responsive?

Always 53.

> What is $EPHEMERAL_PORTS defined as?  "1024:" or "1024:65535" perhaps?

The latter.

> What is $IP defined as?  I presume the IP address of the name server.

Yep. Actually it is only one IP from a list of 'em. That way I can say
somthing like

DNS_SERVERS="ip1 ip2 ip3"

> This might be a dumb question

There is no such question as a dumb question. `;-)

There are people who don't read before asking a question, but
your question is a very reasonable one.

> as I've only just started reading about
> stateful packet filtering this morning... is there a reason why you
> don't use the connection tracking for INPUT chain?

This snippet was not the full monty. If you want to see the full
script go to


for an explanation and to


for the archive. Currently there's only a Dutch explanation available,
but I am translating it into English for another reader of the debian lists.
I expect to have it available this weekend. I'll post the new link then.
'Til then you should be able to figure things out from the shell-scripts
in the archive.

> This might be another dumb question, but how do I tell if the connection
> tracking module isn't loaded?  How is this configured, enabled,
> disabled, etc?

lsmod should give ip_conntrack in it's listing. Please refer to the URLs
given above for the full code. It is well-commented so you shouldn't
have any trouble to use that as an example.

Grx HdV

P.S. I am on the list so you can reply to the list only and I'll see you
messages. If I can I'll try to answer them (sometimes I am a bit short
on time though...)

Reply to: