[SLL] Good Netfilter/BIND stumper -- more details
Mark D. Foster
mark at foster.cc
Wed Jan 2 13:13:10 PST 2008
Brad Willson wrote:
> Neither fqdn or dotted quad work for dig...both fail with
>
> ; <<>> DiG 9.4.2 <<>> @ns google.com
> ; (1 server found)
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
>
> As for ping -n 64.233.167.99
> PING 64.233.167.99 (64.233.167.99) 56(84) bytes of data.
> 64 bytes from 64.233.167.99: icmp_seq=1 ttl=239 time=50.7 ms
> 64 bytes from 64.233.167.99: icmp_seq=2 ttl=239 time=49.7 ms
> 64 bytes from 64.233.167.99: icmp_seq=3 ttl=239 time=49.7 ms
> 64 bytes from 64.233.167.99: icmp_seq=4 ttl=239 time=49.6 ms
>
> So...my nameserver is broken? (I'm running on 4h of sleep in the past
> many hours)
>
>
Not necessarily. I'll bet your DNS resolution works fine when you turn
iptables off.
Looking back at your iptables rules...
> -A INPUT -j REJECT --reject-with icmp-host-prohibited (at the end of the
> chain followed by COMMIT)
This rule essentially blocks anything not permitted above it, including your DNS replies.
It's a good security practice to use this "default deny" stance.
Anyway, try adding something like this above that last rule...
-A INPUT -p udp -m udp --source w.x.y.z/32 -j ACCEPT
where w.x.y.z is the ip address of your nameserver. Repeat for any nameservers listed in /etc/resolv.conf
Or higher above put
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
which I believe will track outgoing session state and allow inbound
replies to your DNS queries.
--
Said one park ranger, 'There is considerable overlap between the
intelligence of the smartest bears and the dumbest tourists.'
Mark D. Foster, CISSP <mark at foster.cc> http://mark.foster.cc/
More information about the linux-list
mailing list