12-31-2009, 08:51 AM
(12-30-2009, 11:32 AM)lhffan Wrote: dns queries rule:
Code:
$IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
You have source port and destination port mixed up (or from other perspective you have INPUT and OUTPUT chains mixed up).
Your queries to DNS servers are targeted to port 53 and thus they're matched using the OUTPUT chain. That's why you need to have "-A OUTPUT --dport 53". The same thing in INPUT chain would mean that you'd be expecting the answer from the DNS server to port 53 (which is not happening).
Also you can match almost every "legal" incoming connection with these:
Code:
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPTIt might be even possible to write it in one line without the specific protocol definition:
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTIt's safe rule because the state must be either ESTABLISHED (you've initialized the connection) or RELATED (eg. passive FTP or some UDP connection which you've started). Then you don't have to specify all the incoming ports separately.
Then practically everywhere where you now have "-m state --state NEW,ESTABLISHED,RELATED" you can remove all the options. The state is always one of the three, so if you specify them all, then it's the same as not having them specified at all. It makes it easier to read and understand.
![[Image: banner.png]](http://css.setti.info/stats/server/78.46.42.232:27015/banner.png)