If the DNS server is running on your firewall (justifying your INPUT/OUTPUT rules) then remove "-i $IF" qnd "-o $IF" so that you also can query on that machine itself (iptables -L) which uses the loopback.
Anyway, here it is in case the DNS server is running on the firewall: $IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT $IPT -t filter -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT $IPT -t filter -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT $IPT -t filter -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT It gives you the possibility to run the DNS on the firewall itself. All the hosts on your LAN are able to query that server, but they're not able to query the Internet themselves (but I think that's what you want). If your DNS server is in your LAN (after making sure that your SNAT and DNAT work properly) you need to: $IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A FORWARD -m state --state NEW -p tcp --dport 53 -j ACCEPT $IPT -t filter -A FORWARD -m state --state NEW -p udp --dport 53 -j ACCEPT Ramin On Fri, May 03, 2002 at 11:00:29AM -0700, Dan Crooks wrote: > I recently started running my own DNS server since my ISP was charging me > for my domain names > to be listed on their DNS server. Since installing my DNS I have been > unable to execute the > command # iptables -L. > > I added the following to the allow-service-all section of my firewall: > $IPT -A INPUT -p 6 -s 0/0 -d 0/0 --dport 53 -j ACCEPT > and that didn't help anything. > > I then added the following to my firewall.sh file: > $IPT -A INPUT -i $IF -p udp -s $DNS --sport 53 -m state --state > ESTABLISHED -j ACCEPT > $IPT -A OUTPUT -o $IF -p udp -d $DNS --dport 53 -m state --state > NEW,ESTABLISHED -j ACCEPT > > $IF=eth1 (my internet connection) > $DNS=my dns server ip (xxx.xxx.xxx.xxx/32) > > Neither of these solutions has helped with my problem. External connections > "appear" to > work as my secondary DNS server (on another network at another site) is able > to send/receive > updates. Also, internal machines on my network are able to use my server > for DNS purposes. > However, I do see hits in my firewall log from other ip's outside my > network. > > What is the correct way to open up my DNS to all machines, both internal and > external? > I should mention that DNS queries are only accepted on port 53 at this time. > Any help would be appreciated. > > Dan >
