fosiul01
asked on
iptables configuration for named
HI
i have setup nameserver for my network
now if I flush iptables, pc from internal network can resolv Ip from nameserver
here is the list of my iptables
[root@workshop log]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Only confussion is ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
do you think this one is giving trouble ??
i dinot create any iptables for 224...
how can i delete that one ??
Or do you think something else is giving trouble ?? NOte : Selinux is enables, but i dotn think selinux is givng trouble
i have setup nameserver for my network
now if I flush iptables, pc from internal network can resolv Ip from nameserver
here is the list of my iptables
[root@workshop log]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Only confussion is ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
do you think this one is giving trouble ??
i dinot create any iptables for 224...
how can i delete that one ??
Or do you think something else is giving trouble ?? NOte : Selinux is enables, but i dotn think selinux is givng trouble
I think 244 is multicast address
ASKER
what shal i do ??
You are missing the firewall hole to allow DNS.
You should have two lines like this :
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
You will get it by adding something like this to your rules that build the iptables set :
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT --syn
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT
You should have two lines like this :
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
You will get it by adding something like this to your rules that build the iptables set :
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT --syn
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT
ASKER
Hi after i typed this one , do i need to save iptables for make this rule effecting ??
I know if i dont save this rule, when i will restart pc, all rule would be remove,
but without saving iptables rule can i not see if it works or not ??
I know if i dont save this rule, when i will restart pc, all rule would be remove,
but without saving iptables rule can i not see if it works or not ??
It depends on how your distribution handles these rules. I think RedHat has a tool to put them into and I guess you are using that (lookingat the rule names)
On my box (which does not have a tool) but saves them on shutdown with iptables-save command you can put them in and test. if it fails use iptables-restore to get back to where you were and when it works either save or restart
On my box (which does not have a tool) but saves them on shutdown with iptables-save command you can put them in and test. if it fails use iptables-restore to get back to where you were and when it works either save or restart
ASKER
ok i will come back to you after this question
https://www.experts-exchange.com/questions/23796832/Selinux-and-port-80-openning-problem.html?cid=295
its samething but for port 80, i tryed what you said, but its didnto work
have a look at that question
https://www.experts-exchange.com/questions/23796832/Selinux-and-port-80-openning-problem.html?cid=295
its samething but for port 80, i tryed what you said, but its didnto work
have a look at that question
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.