Bind Iptables can't access out of localhost
I have Fedora 8. Iptables is up and running, working correctly for http, imap, pop, ssh and ftp.
I need to get dns up and running so I opened 53 (tcp and udp). My dns is authoritative only, and if I access the dns server from localhost, it seems to work correctly (for a primary domain, I get appropriate answers from dig, for www_hp_com, I get pointers to the root servers). However, if I try to use dig @ipaddress, I get: ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached If I try to telnet into the box from within, and use localhost, I get a connection, if I use the IP address or domain name, I get "connection refused". I've tried this also from another computer on my LAN and from outside my upstream ISP. Here's the kicker - I turn off iptables, and no change. I'm obviously stumped. Anyone have any ideas? Thank you (in advance) |
What addresses are you listening to in you bind config?
Perhaps post your config here. What distro are you using? |
Quote:
iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp any ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10025 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Top of named.conf: key "rndc-key" { algorithm hmac-md5; secret "xxx"; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; logging { channel default_debug { file "/var/log/named.run"; severity dynamic; }; }; options { query-source port 53; query-source-v6 port 53; listen-on port 53 { 127.0.0.1; }; #was 127.0.0.1 listen-on-v6 port 53 { ::1; }; #was ::1 directory "/var/named/"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; };#was localhost recursion no; #was yes allow-recursion { 127/8; 192.168/16; 10/8; 172.16/12; }; query-source address * port 53; notify-source * port 53; transfer-source * port 53; }; zone "." IN { type hint; |
Not what port, what address
Post netstat -np --listen | grep :53 I think you've restricted yourself to 127.0.0.1 (listen-on port 53 { 127.0.0.1; }; #was 127.0.0.1) Edit - you may need a form more like "listen-on { 127.0.0.1; 192.168.1.1/24; };" replacing 192.168.1.1 with the relevant internal IP range |
Quote:
Thanks again!!!! Wayne |
All times are GMT -5. The time now is 06:46 PM. |