iptables blocking DNS
I have unblocked port 53 on my firewall config , but still my firewall is blocking my dns lookup.
I know the dns lookup is working because if i change my default INPUT policy to ACCEPT, then the name resolution is done correctly .
This is the iptables script
Generated by iptables-save v1.3.5 on Fri Dec 3 12:23:49 2010
*filter
:INPUT DROP [41:3304]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [558:59294]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
-A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 172.16.0.4 -j DROP
-A OUTPUT -s 172.16.0.136 -j DROP
-A OUTPUT -s 172.16.0.135 -j DROP
COMMIT
# Completed on Fri Dec 3 12:23:49 2010 <code>
iptables -L yields
[root@saas-dev-dcpc ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh
ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:http
ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:https
ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:ftp-data
ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:ftp
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 172.16.0.4 anywher
DROP all -- 172.16.0.136 anywhere
DROP all -- 172.16.0.135 anywhere
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
I think this would be solved if you added a -m state --state RELATED,ESTABLISHED -j ACCEPT rule to all the chains. It looks like you may be allowing DNS traffic in one direction only.
Alternately, try rules with --sport 53 too.
So your DNS packets are being blocked by the INPUT chain's DROP policy, even though you clearly have iptables rules that should ACCEPT incoming UDP and TCP packets to port 53. That is strange. To get more clues about what is going wrong, add a LOG rule to the end of your iptables ruleset, as follows:
iptables -A INPUT -j LOG
Do some DNS queries and see what (if anything) shows up in the system log files (probably /var/log/syslog and/or /var/log/messages). If incoming DNS query packets are getting dropped, they will be logged by the above rule.
If nothing shows up in the logs, then something else is going wrong that is preventing your DNS server from responding. Not knowing anything about your system, I will not hazard many guesses, but I do note that you have not excluded the loopback adapter from INPUT filtering.
Try adding the following to the top your ruleset:
-A INPUT -i lo -j ACCEPT
Even if this doesn't fix your problem, it's probably a good idea to include this rule anyway, since some programs depend on a functioning loopback adapter to work correctly.