Centos iptables open port 53

user1817081 asked:

I am having problem opening port 53 on my centos machine, for DNS configuration.

Here is my iptables config

-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

When I ran a nmap scan of the machine only port 80 showed up as open on it. Am I missing anything?

EDIT:

Full iptable

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT -reject-with icmp-host-prohibited
-A FORWARD -j REJECT -reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
COMMIT 

My answer:


Your semantics are reversed.

The rules you posted permit outgoing DNS connections to a remote DNS server, not incoming connections to a local DNS server.

To permit connections to your local DNS server, reverse the INPUT and OUTPUT rules:

-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT

(And please take a few minutes at some point to revise your firewall to be stateful.)


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.