Article 6KXCP Help with iptables for a DNS server.

Help with iptables for a DNS server.

by
princessgentoo
from LinuxQuestions.org on (#6KXCP)
Hello everyone, I hope all of you are having a great day!
I have a dnsmasq server open to public internet in a VPS because I like to make custom domain modifications there. But many ips connected to my server is reducing my network speed. That is why I want' to limit the use of my dnsmasq server to specific Ips. Since i use many vpns, specifying ips will filter my traffic neatly.
So I added some rules to the INPUT openvpn ip rules I used for my VPN to block all traffic except SSH, VPN and port 53.

In the code I replaced some ips for privacy, IP1 is the ip of my other VPN (which is not the current server), IP2 is the Ip of a server. And SERVERIP is the current server IP. I'm using Ubuntu Jammy Jellyfish with the DNSMasq.

I used some code I found on internet, because by simple logic, if "/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT" it just working for SSH, something similar must work for DNS just replacing the port. But then tried another code that also included sport and state. I added the 8.8.8.8 which is the Google DNS nameserver, i don't think it goes here but it won't harm the rule adding it.

Code:[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to SERVERIP
ExecStart=/usr/sbin/iptables -P INPUT DROP
ExecStart=/usr/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ExectStart=/usr/sbin/iptables -A INPUT -p udp --dport 53 -s IP1,IP2,8.8.8.8,8.8.4.4 --sport 1024:65535 -d SERVERIP -m state --state NEW,ESTABLISHED -j ACCEPT
ExectStart=/usr/sbin/iptables -A INPUT -p udp --dport 53 -s IP1,IP2,8.8.8.8,8.8.4.4 --sport 53 -d SERVERIP -m state --state NEW,ESTABLISHED -j ACCEPT

ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 212.227.145.229
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetWhen I run dig in both the server and the computer connected to VPN IP1.
Code:dig @SERVERIP google.comI get:
Code:;; communications error to SERVERIP#53: timed out
;; communications error to SERVERIP#53: timed out
;; communications error to SERVERIP#53: timed outThe default policies on iptables is accepting except for INPUT which the default policy is Drop.

What I'm doing wrong?
External Content
Source RSS or Atom Feed
Feed Location https://feeds.feedburner.com/linuxquestions/latest
Feed Title LinuxQuestions.org
Feed Link https://www.linuxquestions.org/questions/
Reply 0 comments