I'm building a firewall script with iptables v1.2.5 and kernel 2.4.17, patched with ulog and string, among other things besides the standard patches in iptables. At this point (my 10th rebuild of this script or so... lost count) I've got a strange problem.
My firewall/router box is also running as a DNS Cache for my lan and dmz. It has 3 nics, eth0 (lan) eth1 (dmz) eth2 (inet). After I add DNS access to my OUTPUT chain, I'm not able to list the iptables. Well, the TCP rule is ok, but as soon as I enable the UDP rule, i'm not allowed to list (iptables -L), or it takes at least 5 minutes between each line. If i disable the UDP rule, I get the list in like a second or two. My two DNS rules: $IPTABLES -A OUTPUT -p TCP -o $INET_INTERFACE -s $INET_IP --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -p UDP -o $INET_INTERFACE -s $INET_IP --dport 53 -j ACCEPT $INET_INTERFACE = eth2 $INET_IP = static ip from my ISP as I said, if I comment out the UDP part (with #) the listing is just fine, but with it I'm stuck.. Any idea anyone? While I'm at it, is ESTABLISHED,RELATED more or less the only way to accept the dns answer back from my isp's dns server? I've got this: $IPTABLES -A INPUT -p ALL -i $INET_INTERFACE -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT /Christopher Thorjussen
