From mboxrd@z Thu Jan  1 00:00:00 1970
From: Rick Malt <ric@globesoft.net>
Subject: iptables blocks dns lookups
Date: Sat, 13 Sep 2003 14:15:23 +0307
Sender: netfilter-admin@lists.netfilter.org
Message-ID: <3F62FAA3.6010101@globesoft.net>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-admin@lists.netfilter.org>
Errors-To: netfilter-admin@lists.netfilter.org
List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-Post: <mailto:netfilter@lists.netfilter.org>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-Id: <netfilter.vger.kernel.org>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: <https://lists.netfilter.org/pipermail/netfilter/>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: netfilter@lists.netfilter.org

When I use the High-Security option of redhat-config-securitylevel the 
clients have no response when they
run nslookup -sil <some-internet-domain.net> . Even fetchmail dies with 
nslookup errors.
but local zone lookups r working properly.
I can also ssh to this box.
I tried to insert a few iptables rules to allow queries on port 53 with 
proto udp. but still not working. the clients r able to browse the net 
without any problems.

How do i allow dns to the clients
my internet device is ppp0 and the lan device is eth0.


The current rules are ....
--------------------
# Generated by iptables-save v1.2.7a on Thu Sep 11 12:36:22 2003
*mangle
:PREROUTING ACCEPT [374:40132]
:INPUT ACCEPT [370:39959]
:FORWARD ACCEPT [4:173]
:OUTPUT ACCEPT [293:45077]
:POSTROUTING ACCEPT [297:45250]
COMMIT
# Completed on Thu Sep 11 12:36:22 2003
# Generated by iptables-save v1.2.7a on Thu Sep 11 12:36:22 2003
*nat
:PREROUTING ACCEPT [8:611]
:POSTROUTING ACCEPT [19:1118]
:OUTPUT ACCEPT [19:1118]
COMMIT
# Completed on Thu Sep 11 12:36:22 2003
# Generated by iptables-save v1.2.7a on Thu Sep 11 12:36:22 2003
*filter
:INPUT ACCEPT [8:663]
:FORWARD ACCEPT [2:88]
:OUTPUT ACCEPT [293:45077]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 127.0.0.1 -p udp -m udp --sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 192.168.100.0/24 -p udp -m udp --sport 53 -j 
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j 
REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with 
icmp-port-unreachable
COMMIT
# Completed on Thu Sep 11 12:36:22 2003


---------

Thanks in advance