I'm trying to setup/config BIBD on RH73 ( 'rh73 dns server' )
in below mssg, I'm talking about 3 dns hosts:
'rh73 dns server' - the one I'm trying to setup;
'test dns server' - what I'm using to test;
'old dns server' - my current dns server
BIND is running on 'rh73 dns server', but, I can not get any zones
transferred to my 'test dns server'
when I try to get zones from the 'rh73 dns server', my 'test dns server'
says: 'connection refused' (but, does transfer from 'old dns' OK)
I suspect I might be blocking BIND with my IPCHAINS firewall rules.
do I need an explict rule in ipchains for bind, or does bind has some
'automatic' right..?
am I looking in the right place..?
I have:
/etc/sysconfig/ipchains (this is the file to look at, yes ?)
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 ntp -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
#-A input -s 0/0 -d 0/0 23 -p tcp -y -j ACCEPT
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
----
# service ipchains status returns this:
Chain input (policy ACCEPT):
target prot opt source destination
ports
ACCEPT udp ------ 203.28.234.5 0.0.0.0/0 53
-> 1025:
65535
ACCEPT udp ------ 203.28.234.4 0.0.0.0/0 53
-> 1025:
65535
ACCEPT udp ------ 127.0.0.1 0.0.0.0/0 53
-> 1025:
65535
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 123
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 443
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 110
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 25
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 80
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 21
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 22
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 67:68
-> 67
:68
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 67:68
-> 67
:68
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
REJECT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 0:1023
:
REJECT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 2049
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 0:1023
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 2049
REJECT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 6000:6
009
REJECT tcp -y---- 0.0.0.0/0 0.0.0.0/0 *
-> 7100
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
----
what creates the 'port 53' entries at the top ? (resolver ?)
do I need anything in ipchains to allow port 53 connection ?
looking at syslog on 'rh73 dns server', it's timing out trying to reach
the master dns server:
net.au/IN: refresh: failure trying master 203.42.34.53#53: timed out
l.com.au/IN: refresh: failure trying master 203.42.34.53#53: timed out
nfo/IN: refresh: failure trying master 203.42.34.53#53: timed out
nfo/IN: refresh: retry limit for master 203.42.34.53#53 exceeded
ch.com.au/IN: refresh: failure trying master 203.42.34.53#53: timed out
ch.com.au/IN: refresh: retry limit for master 203.42.34.53#53 exceeded
so, do I need to add something like:
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
in /etc/sysconfig/ipchains ??