IPTables issues

George Nicholls Thu, 21 Aug 2003 13:18:09 -0700

Dear Listies,

I have a issue with a rule set on iptables. I am confident that my issue
is with IPtables and not some other app, as I have run tests to isolate
the problem.


I have a mail server (Postfix) running on RH9 with iptables at the
front. My mail fails because the server cannot resolve host names
(lookups).

Here is a snip from my firewall ruleset concerning DNS. My ruleset has
some definitions, then DNS is the first 'real' ruleset after the obvious
silly/devious packets.

I have run netstat and the connection from my $IPADDR to $NAMESERVER is
established with the ports as given in the rule. There is no response,
i.e. host unknown.

Any help??:-)

TIA

G

###############################################################
# DNS Name Server

# DNS Fowarding Name Server or client requests

if [ "$CONNECTION_TRACKING" = "1" ]; then
    /sbin/iptables -A OUTPUT -o $INTERNET -p udp \
             -s $IPADDR --sport $UNPRIVPORTS \
             -d $NAMESERVER --dport 53 \
             -m state --state NEW -j ACCEPT
fi

/sbin/iptables -A OUTPUT -o $INTERNET -p udp \
         -s $IPADDR --sport $UNPRIVPORTS \
         -d $NAMESERVER --dport 53 -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERNET -p udp \
         -s $NAMESERVER --sport 53 \
         -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT

#...............................................................
# TCP is used for large responses

if [ "$CONNECTION_TRACKING" = "1" ]; then
    /sbin/iptables -A OUTPUT -o $INTERNET -p tcp \
             -s $IPADDR --sport $UNPRIVPORTS \
             -d $NAMESERVER --dport 53 \
             -m state --state NEW -j ACCEPT
fi

/sbin/iptables -A OUTPUT -o $INTERNET -p tcp \
         -s $IPADDR --sport $UNPRIVPORTS \
         -d $NAMESERVER --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -i $INTERNET -p tcp ! --syn \
         -s $NAMESERVER --sport 53 \
         -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT

#...............................................................
# DNS Caching Name Server (local server to primary server)

if [ "$CONNECTION_TRACKING" = "1" ]; then
    /sbin/iptables -A OUTPUT -o $INTERNET -p udp \
             -s $IPADDR --sport 53 \
             -d $NAMESERVER --dport 53 \
             -m state --state NEW -j ACCEPT
fi

/sbin/iptables -A OUTPUT -o $INTERNET -p udp \
         -s $IPADDR --sport 53 \
         -d $NAMESERVER --dport 53 -j ACCEPT

/sbin/iptables -A INPUT  -i $INTERNET -p udp \
         -s $NAMESERVER --sport 53 \
         -d $IPADDR --dport 53 -j ACCEPT
-- 
Regards,
______________________________________________________________________

George Nicholls
+27 (0) 833 272 995 Fax +27(0) 11 462 5868

Pasco Risk Consultants (Pty) Ltd
P.O. Box 789 Douglasdale 2165 South Africa






-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list

IPTables issues

Reply via email to