Solved

iptables configuration for named

Posted on 2008-10-07
7
906 Views
Last Modified: 2012-05-05
HI
i have setup nameserver for my network

now if I flush iptables, pc from internal network can resolv Ip from nameserver

here is the list of my iptables

[root@workshop log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


Only confussion is ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353

do you think this one is giving trouble ??

i dinot create any iptables for 224...
how can i delete that one ??
Or do you think something else is giving trouble ?? NOte : Selinux is enables, but i dotn think selinux is givng trouble
0
Comment
Question by:fosiul01
  • 3
  • 3
7 Comments
 
LVL 40

Expert Comment

by:omarfarid
ID: 22660889
I think 244 is multicast address
0
 
LVL 29

Author Comment

by:fosiul01
ID: 22660915
what shal i do ??
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22661622
You are missing the firewall hole to allow DNS.

You should have two lines like this :
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain

You will get it by adding something like this to your rules that build the iptables set :

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT  --syn
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT


0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 29

Author Comment

by:fosiul01
ID: 22667781
Hi after i typed  this one , do i need to save iptables for make this rule effecting ??

I know if i dont save this rule, when i will restart pc, all rule would be remove,

but without saving iptables rule can i not see if it works or not ??
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22667893
It depends on how your distribution handles these rules.   I think RedHat has a tool to put them into and I guess you are using that (lookingat the rule names)

On my box (which does not have a tool) but saves them on shutdown with iptables-save command you can put them in and test.  if it fails use iptables-restore to get back to where you were and when it works either save or restart
0
 
LVL 29

Author Comment

by:fosiul01
ID: 22667908
ok i will come back to you after this question


http://www.experts-exchange.com/OS/Linux/Q_23796832.html?cid=295

its samething but for port 80, i tryed what you said, but its didnto work

have a look at that question
0
 
LVL 20

Accepted Solution

by:
edster9999 earned 500 total points
ID: 22668001
Look at the order of the rules at the bottom.  It has gone in after the 'REJECT' which should be the last one.  This means if you hit this point and still have not found a matching rule then reject everything else.

The easiest way to get round this is to go and edit the iptables backup file.
(first make a backup of this file in case you mess it up)

This varies between distros so do a quick search for it.
From memory redhat puts it in
/etc/sysconfig/iptables
Copy and paste the lines you have just added above the reject and then reload it.

0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question