iptables blocking DNS server

I'm trying to configure my server to allow incoming DNS queries. The default server, as setup by the hosting company, permits traffic on ports 443, 80 and 22.

I have modified the iptables file to try to permit requests on port 53, but I am not getting any response from BIND. Turning off the firewall permits the DNS request to go through, so that suggests to me that the nameserver is working correctly. The setup is CentOS 5.5.

This is the iptables file; I'd appreciate it if someone could tell me what I'm missing here in order to get this working.

Thanks in advance.

==================

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

This line from your rules is completely wrong:

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT

You're saying: allow traffic from remote port 53 to local ports 1024 - 65535.
I believe DNS is listening on port 53. Try this instead (allow every TCP/UDP traffic to destination port 53):

-A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT

These lines won't do anything:

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

If you meant to open TCP port 50 and 51; use this:

-A RH-Firewall-1-INPUT -p tcp --dport 50:51 -j ACCEPT

Thank you. The lines that I'd added are very similar to the lines that appear in a VPS that I have. The lines that you've noted as not doing anything are a part of the standard centOS installation. I'm unsure of their intent, but may as well leave them there, given they're a part of the standard installation. Again, thank you very much.

Redback 2010-09-10 16:29:55

The 50/51 lines would be to allow inbound IPSEC tunnels - 50 is ESP and 51 is AH.

Alnitak 2010-09-10 22:15:30

ansaurus

tags:

views:

answers:

iptables blocking DNS server

related questions