iptables阻止DNS服务器
[英]iptables blocking DNS server
问题描述
I'm trying to configure my server to allow incoming DNS queries. 
我正在尝试将服务器配置为允许传入的DNS查询。 The default server, as setup by the hosting company, permits traffic on ports 443, 80 and 22. 由托管公司设置的默认服务器允许端口443、80和22上的流量。
I have modified the iptables file to try to permit requests on port 53, but I am not getting any response from BIND. 我已经修改了iptables文件以尝试允许端口53上的请求,但是我没有收到来自BIND的任何响应。 Turning off the firewall permits the DNS request to go through, so that suggests to me that the nameserver is working correctly. 关闭防火墙将允许DNS请求通过,因此,这向我表明名称服务器运行正常。 The setup is CentOS 5.5. 设置为CentOS 5.5。
This is the iptables file; 这是iptables文件; I'd appreciate it if someone could tell me what I'm missing here in order to get this working. 如果有人能告诉我我在这里想念的东西以使它正常工作,我将不胜感激。
Thanks in advance. 提前致谢。
================== ==================
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
1 个解决方案
解决方案1
4 已采纳 2010-09-10 15:54:11
This line from your rules is completely wrong: 您的规则中的这一行是完全错误的:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
You're saying: allow traffic from remote port 53 to local ports 1024 - 65535. 您的意思是:允许从远程端口53到本地端口1024-65535的流量。
I believe DNS is listening on port 53. Try this instead (allow every TCP/UDP traffic to destination port 53): 我相信DNS在端口53上进行侦听。请改用此方法(允许到达目标端口53的每个TCP / UDP通信):
-A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT
These lines won't do anything:
The following lines allows traffic with the protocol number 50 (ESP) and 51 (AH) (source: IANA Protocol Numbers )
这些行将无济于事:
以下几行允许协议编号为50(ESP)和51(AH)的流量(来源: IANA协议编号 )
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.