[H-GEN] Need a 2nd (3rd...) opinion.

Robert Brockway robert at timetraveller.org
Mon Jul 23 19:40:18 EDT 2001 

[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

Hi all.  I'm doing up a firewall using iptables for a
squid proxycache/dns/mail server.

The proxycache is working fine, but the dns/mail isn't working as
expected.

I can't see what is wrong with the firewall rules below :)

The box is a slave dns server and won't accept zone transfers.
Dns queries fail either locally or from a remote client.

These things work with the firewall down of course :)

I expect it'll be the same problem with smtp.

Telnetting to port 25 & 53 works fine.

IPs have been changed to protect the guilty :)

I'm sure it is something simple but I just can't see it :)

Any help greatly appreciated :)
Rob

-- Robert Brockway B.Sc. email: robert at timetraveller.org  ICQ: 104781119
   Linux counter project ID #16440 (http://www.li.org)
   blake: up 18 days,  6:15, 11 users,  load average: 1.00, 1.00, 1.00
   "The earth is but one country and mankind its citizens" -Baha'u'llah

---------- Forwarded message ----------
     # Flush the rules
     /sbin/iptables -F INPUT
     /sbin/iptables -F FORWARD
     /sbin/iptables -F OUTPUT

     # Drop all packets by default
     /sbin/iptables -P INPUT DROP
     /sbin/iptables -P FORWARD DROP
     /sbin/iptables -P OUTPUT DROP

     # Let the localhost have full access
     /sbin/iptables -A INPUT  -j ACCEPT -p all  -s 127.0.0.1 -d 127.0.0.1
     /sbin/iptables -A OUTPUT -j ACCEPT -p all  -s 127.0.0.1 -d 127.0.0.1

     # Let ernie have full access
     /sbin/iptables -A INPUT  -j ACCEPT -p all -s 192.168.219.65 -d 192.168.219.70
     /sbin/iptables -A OUTPUT -j ACCEPT -p all -s 192.168.219.70 -d 192.168.219.65
     # The world needs access to named as grover is an authorative server
     /sbin/iptables -A INPUT  -j ACCEPT -p tcp -s 0.0.0.0/0 -d 192.168.219.70 --dport 53
     /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70 -d 0.0.0.0/0 --sport 53
     /sbin/iptables -A INPUT  -j ACCEPT -p udp -s 0.0.0.0/0 -d 192.168.219.70 --dport 53
     /sbin/iptables -A OUTPUT -j ACCEPT -p udp -s 192.168.219.70 -d 0.0.0.0/0 --sport 53

     # The world needs access to smtp as grover is a secondary mail server
     /sbin/iptables -A INPUT  -j ACCEPT -p tcp -s 0.0.0.0/0 -d 192.168.219.70 --dport 25
     /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70 -d 0.0.0.0/0 --sport 25

     # Let anyone access a non privileged port
     # NB: includes the proxy cache listener (8080)
     /sbin/iptables -A INPUT  -j ACCEPT -p tcp -s 0.0.0.0/0      -d 192.168.219.70 --dport 1024:65535
     /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70 -d 0.0.0.0/0      --sport 1024:65535

     # Print Firewall rules
     clear
     /sbin/iptables -L


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list