On my VPS, when I run
ping 8.8.8.8
It works just fine, but when I do
ping google.com
it just hangs. The contents of /etc/resolv.conf is:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 108.61.10.10
nameserver 208.67.222.222
nameserver 208.67.220.220
and I know OpenDNS works fine. I think the problem is with iptables, because it was working fine before I changed the iptables settings iptables -S is:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp -m multiport ! --dports 80,443,8080,2222,22,1194,993,25,995,143,110,4433 -j DROP
-A INPUT -p udp -m udp -m multiport ! --dports 53,1194,500,4500 -j DROP
-A INPUT -p tcp -m connlimit --connlimit-above 25 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 20/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
You need to allow source port 53,
iptables -A INPUT -p udp --sport 53 -j ACCEPTbefore-A INPUT -p udp -m udp -m multiport ! --dports 53,1194,500,4500 -j DROP, as the replies goes from the resolvers source port53.For debugging purpose, attach problematic rule with
-j LOGtarget, and you will get a cleaner picture.However, for a proper firewall - I would recommend to use
POLICY DROPand allow only desired traffic.