Home / server / Questions / 239939
Accepted
Tom
Asked: 2011-02-25 12:55:02 +0800 CST

Firewall still blocking port 53 despite listing otherwise?

  • 772

I have 3 nodes with virtually the same iptables rules loaded from a bash script, but one particular node is blocking traffic on port 53 despite listing it's accepting it:

$ iptables --list -v

Chain INPUT (policy DROP 8886 packets, 657K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    2   122 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request 
20738 5600K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  eth1   any     anywhere             node1.com multiport dports http,smtp 
    0     0 ACCEPT     udp  --  eth1   any     anywhere             ns.node1.com udp dpt:domain 
    0     0 ACCEPT     tcp  --  eth1   any     anywhere             ns.node1.com tcp dpt:domain 
    0     0 ACCEPT     all  --  eth0   any     node2.backend        anywhere            
   21  1260 ACCEPT     all  --  eth0   any     node3.backend        anywhere            
    0     0 ACCEPT     all  --  eth0   any     node4.backend        anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 15804 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination

nmap -sV -p 53 ns.node1.com // From remote server

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-02-24 11:44 EST
Interesting ports on ns.node1.com (1.2.3.4):
PORT   STATE    SERVICE VERSION
53/tcp filtered domain

Nmap finished: 1 IP address (1 host up) scanned in 0.336 seconds

Any ideas?

Thanks

firewall domain-name-system iptables

2 Answers

  1. Likely to tcp port is blocked by another firewall. Use tcpdump/Wireshark to debug problem.

    From me:

    nmap -sV -p 53 x.x.x.x

Starting Nmap 5.00 ( http://nmap.org ) at 2011-02-25 02:32 YEKT
Interesting ports on x.x.x.x:
PORT   STATE SERVICE VERSION
53/tcp open  domain  ISC BIND Not available
    • 3
  2. Best Answer

    I notice that zero packets have actually reached your iptables ACCEPT rules for DNS. I think it is likely that your iptables rules are specifying an inconsistent combination of conditions that never match incoming DNS queries.

    In your case, your DNS ACCEPT rules specify that the incoming interface must be eth1, and the destination IP address must resolve to ns.node1.com. You should check whether incoming DNS queries to ns.node1.com can ever arrive over the eth1 network interface.

    Another possibility is that you have another packet filter somewhere between your test client and your server that is blocking DNS packets.

    • 3