我在防火墙配置上解锁了端口53,但我的防火墙仍在阻止我的dns查找.
我知道dns查找工作正常,因为如果我将默认的INPUT策略更改为ACCEPT,则名称解析正确完成.
这是iptables脚本
- Generated by iptables-save v1.3.5 on Fri Dec 3 12:23:49 2010
- *filter
- :INPUT DROP [41:3304]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [558:59294]
- :RH-Firewall-1-INPUT - [0:0]
- -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
- -A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
- -A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
- -A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
- -A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
- -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
- -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
- -A INPUT -p udp -m udp --dport 53 -j ACCEPT
- -A OUTPUT -s 172.16.0.4 -j DROP
- -A OUTPUT -s 172.16.0.136 -j DROP
- -A OUTPUT -s 172.16.0.135 -j DROP
- COMMIT
- # Completed on Fri Dec 3 12:23:49 2010 <code>
iptables -L收益率
- [root@saas-dev-dcpc ~]# iptables -L
- Chain INPUT (policy DROP)
- target prot opt source destination
- ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh
- ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:http
- ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:https
- ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:ftp-data
- ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:ftp
- ACCEPT icmp -- anywhere anywhere icmp any
- ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
- ACCEPT tcp -- anywhere anywhere tcp dpt:domain
- ACCEPT udp -- anywhere anywhere udp dpt:domain
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- DROP all -- 172.16.0.4 anywher
- DROP all -- 172.16.0.136 anywhere
- DROP all -- 172.16.0.135 anywhere
- Chain RH-Firewall-1-INPUT (0 references)
- target prot opt source destination
