iptables rule to allow DNS traffic on client
by gotaquestion from LinuxQuestions.org on (#5HBN1)
I'm struggling to come up with an iptables rule(s) to allow DNS traffic below from a client machine to my private DNS server on the same network. Any help is very much appreciated.
DNS server IP address: a.b.c.100
Client IP address: a.b.c.200
The message captured in client's /var/log/messages after all the rules were processed :
Code:IN= OUT=lo SRC=a.b.c.200 DST=a.b.c.200 LEN=106 TOS=0x00 PREC=0xC0 TTL=64 ID=57831 PROTO=ICMP TYPE=3 CODE=1 [SRC=a.b.c.200 DST=a.b.c.100 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=3110 DF PROTO=UDP SPT=47963 DPT=53 LEN=58 ]My default chain policies:
Code::INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPTSince the default for OUTPUT chain is accept', I can't wrap my head around what's missing.
DNS server is not an issue, it works well with all other clients.
firewalld is disabled. I'm running iptables instead.
iptables -S output (after masking, and stripping down unrelated lines):
Code:-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -d 224.0.0.0/4 -p igmp -j DROP
-A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -i enp1s0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s a.b.c.200/32 -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j DROP
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -p udp -m udp --sport 5353 -j ACCEPT
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d a.b.c.200/32 -i enp1s0 -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -d a.b.c.200/32 -i enp1s0 -p udp -m udp --sport 123 -m comment --comment ntp -j ACCEPT
-A INPUT -j LOG --log-prefix "** iptables-INP ** "
-A FORWARD -p tcp -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j LOG --log-prefix "** iptables-FWD ** "
-A OUTPUT -d 224.0.0.0/4 -p igmp -j DROP
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d a.b.c.100/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d a.b.c.100/32 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -m comment --comment ntp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "** iptables-OUT ** "Thanks
DNS server IP address: a.b.c.100
Client IP address: a.b.c.200
The message captured in client's /var/log/messages after all the rules were processed :
Code:IN= OUT=lo SRC=a.b.c.200 DST=a.b.c.200 LEN=106 TOS=0x00 PREC=0xC0 TTL=64 ID=57831 PROTO=ICMP TYPE=3 CODE=1 [SRC=a.b.c.200 DST=a.b.c.100 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=3110 DF PROTO=UDP SPT=47963 DPT=53 LEN=58 ]My default chain policies:
Code::INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPTSince the default for OUTPUT chain is accept', I can't wrap my head around what's missing.
DNS server is not an issue, it works well with all other clients.
firewalld is disabled. I'm running iptables instead.
iptables -S output (after masking, and stripping down unrelated lines):
Code:-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -d 224.0.0.0/4 -p igmp -j DROP
-A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -i enp1s0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s a.b.c.200/32 -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j DROP
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -p udp -m udp --sport 5353 -j ACCEPT
-A INPUT -s a.b.c.100/32 -d a.b.c.200/32 -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d a.b.c.200/32 -i enp1s0 -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -d a.b.c.200/32 -i enp1s0 -p udp -m udp --sport 123 -m comment --comment ntp -j ACCEPT
-A INPUT -j LOG --log-prefix "** iptables-INP ** "
-A FORWARD -p tcp -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j LOG --log-prefix "** iptables-FWD ** "
-A OUTPUT -d 224.0.0.0/4 -p igmp -j DROP
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d a.b.c.100/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -d a.b.c.100/32 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -s a.b.c.200/32 -p udp -m udp --dport 123 -m conntrack --ctstate NEW -m comment --comment ntp -j ACCEPT
-A OUTPUT -j LOG --log-prefix "** iptables-OUT ** "Thanks