Solved

iptables configuration for named

Posted on 2008-10-07
7
912 Views
Last Modified: 2012-05-05
HI
i have setup nameserver for my network

now if I flush iptables, pc from internal network can resolv Ip from nameserver

here is the list of my iptables

[root@workshop log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


Only confussion is ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353

do you think this one is giving trouble ??

i dinot create any iptables for 224...
how can i delete that one ??
Or do you think something else is giving trouble ?? NOte : Selinux is enables, but i dotn think selinux is givng trouble
0
Comment
Question by:fosiul01
  • 3
  • 3
7 Comments
 
LVL 40

Expert Comment

by:omarfarid
ID: 22660889
I think 244 is multicast address
0
 
LVL 29

Author Comment

by:fosiul01
ID: 22660915
what shal i do ??
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22661622
You are missing the firewall hole to allow DNS.

You should have two lines like this :
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain

You will get it by adding something like this to your rules that build the iptables set :

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT  --syn
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT


0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 29

Author Comment

by:fosiul01
ID: 22667781
Hi after i typed  this one , do i need to save iptables for make this rule effecting ??

I know if i dont save this rule, when i will restart pc, all rule would be remove,

but without saving iptables rule can i not see if it works or not ??
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22667893
It depends on how your distribution handles these rules.   I think RedHat has a tool to put them into and I guess you are using that (lookingat the rule names)

On my box (which does not have a tool) but saves them on shutdown with iptables-save command you can put them in and test.  if it fails use iptables-restore to get back to where you were and when it works either save or restart
0
 
LVL 29

Author Comment

by:fosiul01
ID: 22667908
ok i will come back to you after this question


http://www.experts-exchange.com/OS/Linux/Q_23796832.html?cid=295

its samething but for port 80, i tryed what you said, but its didnto work

have a look at that question
0
 
LVL 20

Accepted Solution

by:
edster9999 earned 500 total points
ID: 22668001
Look at the order of the rules at the bottom.  It has gone in after the 'REJECT' which should be the last one.  This means if you hit this point and still have not found a matching rule then reject everything else.

The easiest way to get round this is to go and edit the iptables backup file.
(first make a backup of this file in case you mess it up)

This varies between distros so do a quick search for it.
From memory redhat puts it in
/etc/sysconfig/iptables
Copy and paste the lines you have just added above the reject and then reload it.

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question