dns not working with iptables

aqoliveira · 01-19-2005, 06:44 PM

Hi there

I have a Internal DNS server which is working fine can resolv all names for the internal network, forwarders is set to get DNS queries from my ISP which also works fine as I tried links as well as a dig to test this.

I then setup FORWARD filter for the rest of the network to access the internet which is also working fine. Able to resolv names and surf from all machines found my internal network.

Here is the problem I want to change my default Policy for the OUTPUT filter to a DROP and when i do this my DNS stops working which is what I want but when the rule is added to allow DNS queries is does not work.

Below u will find the iptables rule file:

# Generated by iptables-save v1.2.8 on Wed Jan 19 23:24:18 2005
*nat
:PREROUTING ACCEPT [209:35146]
:POSTROUTING ACCEPT [3:203]
:OUTPUT ACCEPT [6:684]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Jan 19 23:24:18 2005
# Generated by iptables-save v1.2.8 on Wed Jan 19 23:24:18 2005
*filter
:INPUT DROP [206:35080]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [43:4643]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i ! eth0 -p icmp -m icmp --icmp-type 255 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT
# Completed on Wed Jan 19 23:24:18 2005

I have also tired to place the source/destination ip address with no luck what so ever.

Running the following command iptables -nL

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.0.0/16
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53

Thanking everyone in advance for your input
Antonio

DaHammer · 01-19-2005, 11:28 PM

Add a log rule to your chain, then tail the log file with a "tail -f /var/log/whatever" to see exactly what's being dropped.

DaHammer · 01-20-2005, 12:56 AM

Just noticed something:

Code:

-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT

That should be:

Code:

-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

aqoliveira · 01-20-2005, 08:39 AM

hi

I have tried the above with no success still have to try the logging to see what is happening

thanx