LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page iptable config - DNS not working anymore
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-17-2023, 07:51 AM   #1
clmsvie
LQ Newbie
 
Registered: Nov 2023
Posts: 1

Rep: Reputation: 0
Question iptable config - DNS not working anymore

Hello,

I configured firewall rules which work fine so far, with the one exception: I can not ping any website from my server, as the DNS seems not to work, once the rules are in place:

Code:
ping: google.com: Temporary failure in name resolution
Once I remove the rules, it works fine.
I even added outgoing rules to specifically allow Googles and Cloudflares DNS servers (the one my server uses):

Code:
# Existing INPUT chain rules
sudo iptables -P INPUT DROP
sudo ip6tables -P INPUT DROP
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I INPUT -m set --match-set allowed_countries_ipv4 src -j ACCEPT
sudo ip6tables -I INPUT -m set --match-set allowed_countries_ipv6 src -j ACCEPT
sudo iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Add OUTPUT chain rules for DNS
sudo iptables -A OUTPUT -d 8.8.8.8 -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 8.8.8.8 -p tcp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 1.1.1.1 -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 1.1.1.1 -p tcp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2001:4860:4860::8888 -p udp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2001:4860:4860::8888 -p tcp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2606:4700:4700::1111 -p udp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2606:4700:4700::1111 -p tcp --dport 53 -j ACCEPT
... any idea what I am overseeing? What else could I try?

Thanks,
Clemens
 
Old 11-18-2023, 10:51 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,345

Rep: Reputation: Disabled
Does the contents of your resolv.conf match the IP addresses in the ruleset?
 
Old 12-11-2023, 12:04 PM   #3
maddy0
Member
 
Registered: May 2023
Posts: 89

Rep: Reputation: 2
This work for me
Attached Thumbnails
Click image for larger version Name: iptables.jpg Views: 20 Size: 186.9 KB ID: 42218  
 
1 members found this post helpful.
Old 12-12-2023, 07:09 AM   #4
zeebra
Senior Member
 
Registered: Dec 2011
Distribution: Slackware
Posts: 1,834
Blog Entries: 17

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Quote:
Originally Posted by clmsvie View Post
... any idea what I am overseeing? What else could I try?
Well, you can't use ping, because your firewall blocks it..

See icmp echo.. Port 7. Outgoing.
Last edited by zeebra; 12-12-2023 at 07:15 AM.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NIC not installed anymore, KDE not installed anymore, LILO duplicate Volume ID error scottad Slackware 2 03-31-2012 12:13 AM
iptable how many rule iptable can manage toure32 Linux - Networking 1 05-13-2010 04:34 AM
what is an iptable? & how to seperate the network on the basis of iptable vinod.wagh Linux - Networking 1 09-11-2008 01:28 AM
where is the iptable config file? what is it's name? gonus Linux - Networking 2 07-12-2004 02:36 PM
iptable problem upon nic config dillinja Linux - Hardware 3 08-06-2003 08:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:52 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration