Hi, On Thu, Nov 29, 2012 at 03:59:49PM +0000, Ricardo Fraile wrote: > I try to put iptables in the same server that unbound but I can't do a > local resolv: > > dig terra.es @127.0.0.1 > > ; <<>> DiG 9.7.3 <<>> terra.es @127.0.0.1 > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > > > whit this iptables rules: > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [2271:2106405] > -A INPUT -s 30.0.0.0/8 -p tcp -j ACCEPT > -A INPUT -s 30.0.0.0/8 -p udp -j ACCEPT > -A INPUT -s 30.0.0.0/8 -p icmp -j ACCEPT > -A INPUT -s 127.0.0.1/32 -p udp -j ACCEPT > -A INPUT -s 127.0.0.1/32 -p tcp -j ACCEPT > -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT > > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -j DROP > COMMIT > > > > If I clean the firewall, all works, but why? Which ports use unbound for the > queries?
As far as I can see, you haven't enabled the connection tracking about "established" UDP "connections" (because you only used tcp). Yeah, UDP is not a connection oriented protocol, but still connection tracking of netfilter builds some kind of conntrack entries on UDP connections as well. Also, some kind of answers can be even icmp messages, which won't be enabled either if you restrict your netfilter rules do only do RELATED,ESTABLISHED states for TCP and not for other protocols. Try: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT So, without specifying "tcp", then it will work for the other cases as well, what I mentioned. Also, before DROP, you can have this: -A INPUT -j LOG --log-prefix "netfilter-drop: " Then use command dmesg (or your kernel log) about messages. Maybe you can use ULOG target as well (with --ulog-prefix then, though) but in that case you should use something which can log using netlink sockets (if I remember correctly by heart) eg ulogd daemon. What can I guess: if you query your unbound on localhost it won't be restirected by your rules, but maybe your unbound want to use UDP to query authoritative nameservers using UDP, and the answers for those could be blocked by your rules. Just some hints, I can be wrong here ... _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
