Chris,
My guess would be that the firewall is allowing reponses to connections
that are already established, but its impossible to say for sure without
seeing the script used to create the firewall.
Here is an example:
$IPTABLES -A FORWARD -o $INET_IFACE -d $DNS_SERV1 -s $PRIV_LAN -p
udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -s $DNS_SERV1 -d $PRIV_LAN -p
udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
The first rule allows the clients on the private LAN to query the dns
server. These packets can be part of a new or established connection so the
clients can create new connections to connect to the DNS server.
The second rule allows the DNS server to respond to the clients' request.
These packets can only be part of an established connection so the DNS
server (or any other host) can not create a new connection into the private
LAN unless there are other rules to allow it.
J.T.
>Date: Sat, 22 Jun 2002 10:30:55 -0700
>From: Christian Seberino <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: how is this stuff getting thru default deny iptables firewall?....
>
>My firewall *only* forwards SSH stuff to private LAN.
>
>It forwards *everything* _from_ private LAN to Internet however.
>
>How can the private LAN use DNS which it does????
>
>How is DNS server returning the info thru firewall
>if it *only* allows SSH??!?!?!?
>
>Chris
