iptable config - DNS not working anymore
by clmsvie from LinuxQuestions.org on (#6GEZZ)
Hello,
I configured firewall rules which work fine so far, with the one exception: I can not ping any website from my server, as the DNS seems not to work, once the rules are in place:
Code:ping: google.com: Temporary failure in name resolutionOnce I remove the rules, it works fine.
I even added outgoing rules to specifically allow Googles and Cloudflares DNS servers (the one my server uses):
Code:# Existing INPUT chain rules
sudo iptables -P INPUT DROP
sudo ip6tables -P INPUT DROP
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I INPUT -m set --match-set allowed_countries_ipv4 src -j ACCEPT
sudo ip6tables -I INPUT -m set --match-set allowed_countries_ipv6 src -j ACCEPT
sudo iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Add OUTPUT chain rules for DNS
sudo iptables -A OUTPUT -d 8.8.8.8 -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 8.8.8.8 -p tcp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 1.1.1.1 -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 1.1.1.1 -p tcp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2001:4860:4860::8888 -p udp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2001:4860:4860::8888 -p tcp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2606:4700:4700::1111 -p udp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2606:4700:4700::1111 -p tcp --dport 53 -j ACCEPT... any idea what I am overseeing? What else could I try?
Thanks,
Clemens
I configured firewall rules which work fine so far, with the one exception: I can not ping any website from my server, as the DNS seems not to work, once the rules are in place:
Code:ping: google.com: Temporary failure in name resolutionOnce I remove the rules, it works fine.
I even added outgoing rules to specifically allow Googles and Cloudflares DNS servers (the one my server uses):
Code:# Existing INPUT chain rules
sudo iptables -P INPUT DROP
sudo ip6tables -P INPUT DROP
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I INPUT -m set --match-set allowed_countries_ipv4 src -j ACCEPT
sudo ip6tables -I INPUT -m set --match-set allowed_countries_ipv6 src -j ACCEPT
sudo iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Add OUTPUT chain rules for DNS
sudo iptables -A OUTPUT -d 8.8.8.8 -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 8.8.8.8 -p tcp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 1.1.1.1 -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -d 1.1.1.1 -p tcp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2001:4860:4860::8888 -p udp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2001:4860:4860::8888 -p tcp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2606:4700:4700::1111 -p udp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2606:4700:4700::1111 -p tcp --dport 53 -j ACCEPT... any idea what I am overseeing? What else could I try?
Thanks,
Clemens