Of couse, just accepting traffic arriving from a --sport of 53 does open a hole. A maliciously-intended person could make all their attack packet come from port 53, leaving you wide open. Instead, it's better to use the state-matching capabilities of iptables. You need the ip_conntrack module loaded or compiled into the kernel.
$IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT That would be sufficient in allowing the firewall box itself to make DNS requests and receive the corresponding response. If your firewall box is serving a subnet, you need the following as well... $IPT -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p udp --dport 53 -j ACCEPT That will allow the machines behind the firewall box to make DNS requests. (Provided you have packet forwarding turned on, that your routing / NAT is set up properly, and there aren't any rules before those that drop the packets.) Of course, there are ways to tweak the above rules to be even more robust (like permitting only "--state NEW" outgoing DNS requests only to the known DNS servers for your ISP.) I leave discussion of such things to others. Good luck, Darrell Dieringer - Madison, WI > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Ring > Sent: Tuesday, March 19, 2002 6:58 AM > To: Pierre B. Samson > Cc: [EMAIL PROTECTED] > Subject: Re: iptables blocks DNS! > > > Pierre B. Samson wrote: > > > $IPT -A INPUT -p udp --source-port 53 -j ACCEPT > > $IPT -A INPUT -p udp --destination-port 53 -j ACCEPT > > $IPT -A INPUT -p tcp --source-port 113 -j ACCEPT > > $IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT > > hi > > I think you must add a dns rule for tcp traffic on port 53 > This is my configuration and for me it works fine. > $IPT -A INPUT -p tcp --dport 53 -j ACCEPT > $IPT -A INPUT -p udp --dport 53 -j ACCEPT > > regards > michael > > > >
