• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 946
  • Last Modified:

iptables configuration for named

HI
i have setup nameserver for my network

now if I flush iptables, pc from internal network can resolv Ip from nameserver

here is the list of my iptables

[root@workshop log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


Only confussion is ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353

do you think this one is giving trouble ??

i dinot create any iptables for 224...
how can i delete that one ??
Or do you think something else is giving trouble ?? NOte : Selinux is enables, but i dotn think selinux is givng trouble
0
fosiul01
Asked:
fosiul01
  • 3
  • 3
1 Solution
 
omarfaridCommented:
I think 244 is multicast address
0
 
fosiul01Author Commented:
what shal i do ??
0
 
edster9999Commented:
You are missing the firewall hole to allow DNS.

You should have two lines like this :
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain

You will get it by adding something like this to your rules that build the iptables set :

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT  --syn
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT


0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
fosiul01Author Commented:
Hi after i typed  this one , do i need to save iptables for make this rule effecting ??

I know if i dont save this rule, when i will restart pc, all rule would be remove,

but without saving iptables rule can i not see if it works or not ??
0
 
edster9999Commented:
It depends on how your distribution handles these rules.   I think RedHat has a tool to put them into and I guess you are using that (lookingat the rule names)

On my box (which does not have a tool) but saves them on shutdown with iptables-save command you can put them in and test.  if it fails use iptables-restore to get back to where you were and when it works either save or restart
0
 
fosiul01Author Commented:
ok i will come back to you after this question


http://www.experts-exchange.com/OS/Linux/Q_23796832.html?cid=295

its samething but for port 80, i tryed what you said, but its didnto work

have a look at that question
0
 
edster9999Commented:
Look at the order of the rules at the bottom.  It has gone in after the 'REJECT' which should be the last one.  This means if you hit this point and still have not found a matching rule then reject everything else.

The easiest way to get round this is to go and edit the iptables backup file.
(first make a backup of this file in case you mess it up)

This varies between distros so do a quick search for it.
From memory redhat puts it in
/etc/sysconfig/iptables
Copy and paste the lines you have just added above the reject and then reload it.

0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now