[SOLVED] iptables: port 53 blocked but server resolve DNS query

n03x3c · 06-29-2010, 07:48 AM

My server setup is like this.

Server: example.org (192.168.1.102)
Client: client.example.org (192.168.1.101)

Server has DNS server up and running which resolve domains to given ip addresses. There's only one rule in INPUT chain (Default policy ACCEPT). No other rules. Here's how I added it

Code:

# iptables -A INPUT -p tcp --dport ! 22 -j DROP
# service iptables save

But even then, following works from client.example.org

Code:

# dig example.org

Yes. And according to me, nothing else than ssh should work. Am I making some logical error? And named is not restarting after I saved iptables settings, as it will try to start at example.org:53 which is blocked. It's already running and failing to stop.

PS: Nmap only show port 22 open on example.org

MensaWater · 06-29-2010, 07:53 AM

"example.org" is a real domain on the internet. You may be resolving that via whatever servers are in in your client's resolv.conf.

dig example.org

Code:

; <<>> DiG 9.3.4-P1 <<>> example.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64088
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;example.org.                   IN      A

;; ANSWER SECTION:
example.org.            172800  IN      A       192.0.32.10

;; AUTHORITY SECTION:
example.org.            172800  IN      NS      a.iana-servers.net.
example.org.            172800  IN      NS      b.iana-servers.net.

;; ADDITIONAL SECTION:
a.iana-servers.net.     28502   IN      A       192.0.34.43
b.iana-servers.net.     28800   IN      AAAA    2001:610:240:2::c100:ec

;; Query time: 108 msec
;; SERVER: 10.0.4.51#53(10.0.4.51)
;; WHEN: Tue Jun 29 08:50:07 2010
;; MSG SIZE  rcvd: 137

Also what do you see if you run "iptables -L"?

Your command added a rule but it doesn't mean there weren't some there already. Order is important.

n03x3c · 06-29-2010, 08:13 AM

OK here's pic of output. And FYI, both client, server are internet disconnected and client has nameserver set as server.

http://i47.tinypic.com/10nx0sm.png

win32sux · 06-29-2010, 08:18 AM

You're only matching against TCP packets.

DNS is UDP port 53, so the packet doesn't match and runs into the policy, which is set to ACCEPT.

MensaWater · 06-29-2010, 08:19 AM

Those 3 items are what you see when iptables is NOT running.

Try deleting the rule, running "service iptables start" then run iptables -L again and it will look somewhat different (assuming you're on Fedora/RHEL/CentOS).

By default there is a rule at end of iptables that rejects all traffic.

Code:

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

You can then INSERT (not ADD) the rule above that final rule that accepts only port 22 rather than attempts to reject all but 22.

n03x3c · 06-29-2010, 08:24 AM

Thx you people. It's solved.

MensaWater · 06-29-2010, 08:39 AM

Please post your resolution so future people with the same problem will know what you did.

win32sux · 06-29-2010, 08:45 AM

Quote:

Originally Posted by MensaWater

Please post your resolution so future people with the same problem will know what you did.

I second this request.

Hopefully he scrapped the default-allow approach and replaced it with a default-deny, like:

Code:

iptables -P INPUT DROP
iptables -A INPUT -p TCP --dport 22 -j ACCEPT

n03x3c · 06-29-2010, 10:09 AM

Well here's what I did. It can be done different way as win32sux (nice nickname) said.

Code:

iptables -A INPUT -p tcp --dport ! 22 -j REJECT
iptables -A INPUT -p udp --dport ! 22 -j REJECT

I guess win32sux said is maybe better way. I just didn't know that DNS works on 53 UDP.

MensaWater · 06-29-2010, 10:19 AM

In fact UDP 53 is the default for DNS - it switches to TCP only when the message is too long for UDP.