AKLUG Archive: RE: Iptables

From: Jenkinson, John P \(SAIC\) <John.Jenkinson@bp.com>
Date: Sun Jun 04 2006 - 10:33:21 AKDT

here's a working example
no dns init but the modification is easy
the specific source IP's are obviously now x.y.z but serve as examples

COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport ssh -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport ntp -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport ntp -j ACCEPT
# Allow portmapper from UNIX subnet
-A INPUT -i eth1 -s x.y.z.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -i eth1 -s x.y.z.0/24 -p udp -m udp --dport 111 -j ACCEPT
# Default drop of privileged ports.
-A INPUT -i eth1 -p tcp -m tcp --dport 0:1024 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 0:1024 -j DROP
COMMIT

-----Original Message-----
From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]On Behalf Of
Brian ThunderEagle
Sent: Sunday, June 04, 2006 10:14 AM
To: aklug@aklug.org
Subject: Iptables

Well, it all seemed straight forward to me and the how-to's made it seem

simple too...Since iptables was blocking my dns before and I didn't want
to=20
leave it turned completly off I tried to add a rule to allow traffic on
port=20
53. Here is the command I used:

iptables -A INPUT -p udp --dport 53 -j ACCEPT

Then an "iptables -L" comes out with:

ACCEPT udp -- anywhere anywhere udp dpt: domain

after saving and restarting iptables though my nslookup can't contact my
dns=20
server. I also tried adding a rule to my output chain as well but that=20
didn't make a difference. There is also a set of rules that came with
the OS=20
but all but 1 of the rules are ACCEPT rules, the one REJECT rule is:

REJECT all -- anywhere anywhere reject-with=20
icmp-host-prohibited

I don't know what this rule means exactly but I figure it shouldn't
effect=20
DNS. Oh yes, and I have made sure that my dns server is using
specifically=20
port 53 by uncommenting the "query-source" line in "named.conf".

Brian ThunderEagle
thundereagle@hotmail.com

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Jun 4 10:33:42 2006

This archive was generated by hypermail 2.1.8 : Sun Jun 04 2006 - 10:33:42 AKDT