Iptables DNS Input on localhost

Question

Currently my IPtables Input chain settings on the server are:

Chain INPUT (policy DROP 6 packets, 588 bytes)
 pkts bytes target     prot opt in     out     source               destination
  202 20660 ACCEPT     all  --  lo     any     anywhere             anywhere
    8   536 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
   10  2345 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:8050
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:8123

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:webcache
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 222 packets, 23444 bytes)
 pkts bytes target     prot opt in     out     source               destination

If i try to ping for example Port 8123 on this server with

ping 127.0.0.1 -p 8123

it is working, but not with a fqdn, for exmaple

ping foo.bar.de -p 8123

A ping from my laptop to the server with the fqdn is also working. The Output chain is completely open, and if i change the policy in the Input Chain from Drop to Accept, the ping from localhost with fqdn is also working. So in my opinion something in the Input chain config is not correct currently.

I have already tried to allow some port 53 settings, but without any luck.

iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

I have also logged the blocked things from the Input Chain with

iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

The output in var/log/messages is something like

Mar 16 12:22:05 bla kernel: IPTables-Dropped: IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=XX.XX.XX.XXX DST=XX.XX.XX.XX LEN=92 TOS=0x00 PREC=0x00 TTL=60 ID=25578 DF PROTO=UDP SPT=53 DPT=46139 LEN=72

Can you help me, so that the ping on the localhost with the fqdn is working?

What do you mean by "ping a port"?! -p it's not a port, -p it's a pattern, you may specify up to 16 ‘‘pad’’ bytes to fill out the packet you send. ICMP protocol doesn't have concept of ports — ALex_hha, Mar 16 '16 at 11:51

score 0 · Accepted Answer · answered Mar 16 '16 at 12:03

0

This

iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

solves my problem. Now the udp port 53 is working and the ping to

ping foo.bar.de -p 8123

Is correctly working :-)

answered Mar 16 '16 at 12:03

andreasemer

1
1

Iptables DNS Input on localhost

1 Answers1