iptables blocking DNS

linux domain-name-system firewall iptables
13,741

Solution 1

I think this would be solved if you added a -m state --state RELATED,ESTABLISHED -j ACCEPT rule to all the chains. It looks like you may be allowing DNS traffic in one direction only.

Alternately, try rules with --sport 53 too.

Solution 2

So your DNS packets are being blocked by the INPUT chain's DROP policy, even though you clearly have iptables rules that should ACCEPT incoming UDP and TCP packets to port 53. That is strange. To get more clues about what is going wrong, add a LOG rule to the end of your iptables ruleset, as follows:

iptables -A INPUT -j LOG

Do some DNS queries and see what (if anything) shows up in the system log files (probably /var/log/syslog and/or /var/log/messages). If incoming DNS query packets are getting dropped, they will be logged by the above rule.

If nothing shows up in the logs, then something else is going wrong that is preventing your DNS server from responding. Not knowing anything about your system, I will not hazard many guesses, but I do note that you have not excluded the loopback adapter from INPUT filtering.

Try adding the following to the top your ruleset:

-A INPUT -i lo -j ACCEPT

Even if this doesn't fix your problem, it's probably a good idea to include this rule anyway, since some programs depend on a functioning loopback adapter to work correctly.

Share:
13,741

Related videos on Youtube

rush00121
Author by

rush00121

Updated on September 17, 2022

Comments

  • rush00121
    rush00121 almost 2 years

    I have unblocked port 53 on my firewall config , but still my firewall is blocking my dns lookup.

    I know the dns lookup is working because if i change my default INPUT policy to ACCEPT, then the name resolution is done correctly .

    This is the iptables script 

    Generated by iptables-save v1.3.5 on Fri Dec  3 12:23:49 2010
*filter
:INPUT DROP [41:3304]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [558:59294]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 172.16.0.4 -j DROP
-A OUTPUT -s 172.16.0.136 -j DROP
-A OUTPUT -s 172.16.0.135 -j DROP
COMMIT
# Completed on Fri Dec  3 12:23:49 2010 <code>

    iptables -L yields 

    [root@saas-dev-dcpc ~]# iptables -L
 Chain INPUT (policy DROP)
 target     prot opt source               destination
 ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:ssh
 ACCEPT     tcp  --  172.16.0.134         anywhere            tcp spts:1024:65535 dpt:http
 ACCEPT     tcp  --  172.16.0.134         anywhere            tcp spts:1024:65535 dpt:https
 ACCEPT     tcp  --  172.16.0.134         anywhere            tcp spts:1024:65535 dpt:ftp-data
 ACCEPT     tcp  --  172.16.0.134         anywhere            tcp spts:1024:65535 dpt:ftp
 ACCEPT     icmp --  anywhere             anywhere            icmp any
 ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
 ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
 ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination
 DROP       all  --  172.16.0.4           anywher
 DROP       all  --  172.16.0.136         anywhere
 DROP       all  --  172.16.0.135         anywhere

 Chain RH-Firewall-1-INPUT (0 references)
 target     prot opt source               destination
  • rush00121
    rush00121 over 13 years
    If i do not specify the --m state , does it not mean that it ll allow them all by default ?
  • rush00121
    rush00121 over 13 years
    Yea ... i got it ... i have to use --sport , not dport :) THanks
  • rush00121
    rush00121 over 13 years
    I got the issue . I had to not open my dport , but sport 53

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What prevents a machine from responding to pings?
TCP connect: No route to host
Forwarding all incoming traffic on eth0 to go to eth1
How to use iptables to allow traffic only through ONE SPECIFIC VPN
blocking port 80 via iptables
How to use FQDN in firewall rules for GNU/Linux?
Redirect http using iptables for an ip range
iptables blocking from internet side on eth1?
IPtables string match for some URLs
Difference between iptables default policy to `DROP` and inserting a seperate policy in input chain to DROP all connections