Solved

iptables configuration for named

Posted on 2008-10-07
7
893 Views
Last Modified: 2012-05-05
HI
i have setup nameserver for my network

now if I flush iptables, pc from internal network can resolv Ip from nameserver

here is the list of my iptables

[root@workshop log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


Only confussion is ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353

do you think this one is giving trouble ??

i dinot create any iptables for 224...
how can i delete that one ??
Or do you think something else is giving trouble ?? NOte : Selinux is enables, but i dotn think selinux is givng trouble
0
Comment
Question by:fosiul01
  • 3
  • 3
7 Comments
 
LVL 40

Expert Comment

by:omarfarid
ID: 22660889
I think 244 is multicast address
0
 
LVL 29

Author Comment

by:fosiul01
ID: 22660915
what shal i do ??
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22661622
You are missing the firewall hole to allow DNS.

You should have two lines like this :
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain

You will get it by adding something like this to your rules that build the iptables set :

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT  --syn
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 29

Author Comment

by:fosiul01
ID: 22667781
Hi after i typed  this one , do i need to save iptables for make this rule effecting ??

I know if i dont save this rule, when i will restart pc, all rule would be remove,

but without saving iptables rule can i not see if it works or not ??
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22667893
It depends on how your distribution handles these rules.   I think RedHat has a tool to put them into and I guess you are using that (lookingat the rule names)

On my box (which does not have a tool) but saves them on shutdown with iptables-save command you can put them in and test.  if it fails use iptables-restore to get back to where you were and when it works either save or restart
0
 
LVL 29

Author Comment

by:fosiul01
ID: 22667908
ok i will come back to you after this question


http://www.experts-exchange.com/OS/Linux/Q_23796832.html?cid=295

its samething but for port 80, i tryed what you said, but its didnto work

have a look at that question
0
 
LVL 20

Accepted Solution

by:
edster9999 earned 500 total points
ID: 22668001
Look at the order of the rules at the bottom.  It has gone in after the 'REJECT' which should be the last one.  This means if you hit this point and still have not found a matching rule then reject everything else.

The easiest way to get round this is to go and edit the iptables backup file.
(first make a backup of this file in case you mess it up)

This varies between distros so do a quick search for it.
From memory redhat puts it in
/etc/sysconfig/iptables
Copy and paste the lines you have just added above the reject and then reload it.

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Android Security Model 3 72
LINUX, CPANEL & WHM 5 25
Block sender e-mail address in Postfix 4 41
linux ssh 4 36
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now