Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitry2013-12-06 14:21:26
iptables
Dmitry, 2013-12-06 14:21:26

Allow dns queries in iptables

There are two following lines

iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT

There is a list of current rules:
[email protected]:/home/testr# iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.1.60         0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.1.67         0.0.0.0/0            tcp dpt:22
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  192.168.1.11         0.0.0.0/0            tcp dpt:443
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.60         tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

There is a ping from which I understand that dns is not working, but I don’t understand why.
[email protected]:/etc/network/if-up.d# ping ya.ru
ping: unknown host ya.ru

You need to find out why the rule is not processed, although it is syntactically correct, or find out the similar rule used from your configurations. Thanks in advance.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
D
Dmitry, 2013-12-06
@imert

Sorry, I didn't understand right away.
I will leave here the solution and explanation, if for someone it is also not obvious.
It will be correct like this:

iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT

Because the dns request from the client to the server goes to port 53, the response from the server to the client from port 53, but returns to the client on one of the ports in the range 1024:65535.

Report
C
CHEM_Eugene, 2015-02-18
@CHEM_Eugene

iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT

Report
D
danteg41, 2013-12-06
@danteg41

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

Similar questions
M
MisterXGYT2021-12-21 07:53:17
Do I need help with iptables? 0Reply
M
MisterXGYT2021-12-25 14:07:42
Do I need help on the server? 0Reply
P
piboho48572020-09-21 17:31:42
How to properly configure NAT in openWRT? 1Reply
O
Oleg3652018-11-20 14:28:23
How to block all tcp traffic on port 80 in iptables except for ip 1.1.1.1/32 for example? 1Reply
J
Jebati2022-01-21 18:12:12
How to block all IPs for an hour that make requests from port 80? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question