I have a firewall which allows ESTABLISHED,RELATED packets on INPUT,
and port 53/udp on OUTPUT. Now, if I query for a DNS name, the
packet leaves the machine, but the reply is usually dropped:
[INPUT]: IN=ppp0 OUT= MAC= SRC=217.232.161.91 DST=62.159.154.42
LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=9949 PROTO=UDP SPT=53
DPT=16468 LEN=48
Here are the relevant rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix
"[INPUT]: "
-P INPUT DROP
I always have to add specific udp sport rules for all nameservers,
which is a pain, and which should not be required.
What am I doing wrong?
(Note that I get the same results with '-m state' instead of '-m
ctstate').
Thanks,
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@xxxxxxxxxx>
: :' : proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
|
