Centos iptables open port 53

user1817081 asked:

I am having problem opening port 53 on my centos machine, for DNS configuration.

Here is my iptables config

-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

When I ran a nmap scan of the machine only port 80 showed up as open on it. Am I missing anything?

EDIT:

Full iptable

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT -reject-with icmp-host-prohibited
-A FORWARD -j REJECT -reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
COMMIT 

My answer:


Your semantics are reversed.

The rules you posted permit outgoing DNS connections to a remote DNS server, not incoming connections to a local DNS server.

To permit connections to your local DNS server, reverse the INPUT and OUTPUT rules:

-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT

(And please take a few minutes at some point to revise your firewall to be stateful.)


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.