Before systemd-resolved my iptables rules for DNS were
DNS_SERVER="8.8.8.8 8.8.4.4"
echo "Set default INPUT policy to 'DROP'"
$IPT -P INPUT DROP
for ip in $DNS_SERVER
do
echo "Allowing DNS lookups (tcp, udp port 53) to server '$ip'"
$IPT -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
done
Which allows DNS resolution in subsequent rules, like these to reach github
$IPT -A OUTPUT -p tcp -d "github.com" --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -s "github.com" --sport 443 -m state --state ESTABLISHED -j ACCEPT
But with systemd-resolved /etc/resolv.conf now has this stub that points to 127.0.0.53
and the iptables script hangs because it can't resolve hostnames anymore.
I tried using 127.0.0.53 as the DNS nameserver in those rules
I tried allowing DNS to/from anywhere:
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
atm my solution is apt remove systemd-resolved
How can IPTables script do name resolution when systemd-resolved is installed?
Panic over, I had typos --- these rules work
and from https://serverfault.com/questions/948050/ubuntu-understanding-iptables-rules-to-allow-domain-name-lookup
I'll try allowing port 53 on the loopback to tighten things up. Is that better to secure against random bot IP DDOS ? other answers are welcome.
These are what I have now..