linux – iptables阻止DNS

前端之家收集整理的这篇文章主要介绍了linux – iptables阻止DNS前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我在防火墙配置上解锁了端口53,但我的防火墙仍在阻止我的dns查找.

我知道dns查找工作正常,因为如果我将默认的INPUT策略更改为ACCEPT,则名称解析正确完成.

这是iptables脚本

  1. Generated by iptables-save v1.3.5 on Fri Dec 3 12:23:49 2010
  2. *filter
  3. :INPUT DROP [41:3304]
  4. :FORWARD ACCEPT [0:0]
  5. :OUTPUT ACCEPT [558:59294]
  6. :RH-Firewall-1-INPUT - [0:0]
  7. -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
  8. -A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
  9. -A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
  10. -A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
  11. -A INPUT -s 172.16.0.134 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
  12. -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
  13. -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
  14. -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
  15. -A INPUT -p udp -m udp --dport 53 -j ACCEPT
  16. -A OUTPUT -s 172.16.0.4 -j DROP
  17. -A OUTPUT -s 172.16.0.136 -j DROP
  18. -A OUTPUT -s 172.16.0.135 -j DROP
  19. COMMIT
  20. # Completed on Fri Dec 3 12:23:49 2010 <code>

iptables -L收益率

  1. [root@saas-dev-dcpc ~]# iptables -L
  2. Chain INPUT (policy DROP)
  3. target prot opt source destination
  4. ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh
  5. ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:http
  6. ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:https
  7. ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:ftp-data
  8. ACCEPT tcp -- 172.16.0.134 anywhere tcp spts:1024:65535 dpt:ftp
  9. ACCEPT icmp -- anywhere anywhere icmp any
  10. ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
  11. ACCEPT tcp -- anywhere anywhere tcp dpt:domain
  12. ACCEPT udp -- anywhere anywhere udp dpt:domain
  13.  
  14. Chain FORWARD (policy ACCEPT)
  15. target prot opt source destination
  16.  
  17. Chain OUTPUT (policy ACCEPT)
  18. target prot opt source destination
  19. DROP all -- 172.16.0.4 anywher
  20. DROP all -- 172.16.0.136 anywhere
  21. DROP all -- 172.16.0.135 anywhere
  22.  
  23. Chain RH-Firewall-1-INPUT (0 references)
  24. target prot opt source destination

解决方法

我认为如果你向所有链添加-m state –state RELATED,ESTABLISHED -j ACCEPT规则,这将得到解决.看起来您可能只允许一个方向的DNS流量.

或者,也可以尝试使用–sport 53的规则.

猜你在找的Linux相关文章