iptables & port 53 (DNS)

Hi,

I have a newly built RHEL5 OS that is unable to talk to the DNS server. I am unable to telnet resolv.conf entry over port 53 but apparently this port has been opened.

# telnet 209.212.96.1 53

and.....

# dig www.google.com
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.google.com
;; global options: printcmd
;; connection timed out; no servers could be reached

I can only assume therefore that this is a server issue.

So, I have added the following entry to my iptables:

# iptables -A INPUT -s 41.181.59.124/29 -d 209.212.96.1 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
 
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination 
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 
ACCEPT tcp -- 41.181.59.120/29 0.0.0.0/0 state NEW tcp dpt:53 
ACCEPT tcp -- 41.181.59.120/29 209.212.96.1 state NEW tcp dpt:53 

But still unable to telnet to the nameserver over port 53.

Can anybody provide any pointers to what I can try next?

R,
D.

DNS is UDP... you need to allow the DNS server to talk back to the client on UDP 53

I have added the following:

# iptables -A INPUT -s 41.181.59.124/29 -d 209.212.96.1 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

..........but still unable to reach the internet.

Still hard to tell. This is iptables from client, not server, but you use dport 53... It would be sport at INPUT. Also you've an entire chain before these rules. Need output of iptables -S

No "-S" option on RHEL5. I've listed the tables instead:

# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  41.181.59.120/29     209.212.96.1        state NEW udp dpt:53 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 

R,
D.

Couple of questions?

Without the firewall, do you have connectivity to the DNS server?

What do the logs show with iptables running when you attempt the connection?

-L isn't enough. Otherwise I'd assume everything is accepted due to the first rule in RH-Firewall-1-INPUT, ... -L -v -n would be better..

But those are rather restrictive rules. You still would want to add new ones to the top rather than the bottom, use -I instead of -A

Hi,

# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2005  148K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT 1980 packets, 189K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 1381 79928 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
  621 67768 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    2   108 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 

R,
D.

I don't see it being restricted here. Are you sure you've working nameservers in /etc/resolv.conf ?

This is an external virtual machine so I have no control over the network.

However I think it may have got to do with a restriction between the host that the VM sits on and the DNS server. Waiting on confirmation from the external hosting people to fond out if they can connect to the named server over port 53 from the server that is hosting the VM.