iptables and --dport 53

hii
when I insert --dport 53 accept rule in output chanin my server is very
slowing
my iptables-save output is ;
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
When I remove this rule server is back normal

Richard <emrebalci@yahoo.com> wrote:

> when I insert --dport 53 accept rule in output chanin my server is very
> slowing

Could you explain a little bit more what you mean with "slow"?


> my iptables-save output is ;
> -A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
> -A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> When I remove this rule server is back normal

This isn't the entire output from iptables-save (at least
the Default Policy of INPUT and OUTPUT is missing).
If I assume the policy is DROP, then you can't resolve names,
regardless whether you have the rule or not. Since you only
allow outgoing DNS queries but not the related incoming
response back. So you need to add at least the following:

-A INPUT -i eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT


HTH

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch <horschti2@gmx.de> said:
>Richard <emrebalci@yahoo.com> wrote:
>
>> when I insert --dport 53 accept rule in output chanin my server is very
>> slowing
>> my iptables-save output is ;
>> -A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
>> -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
....
>If I assume the policy is DROP, then you can't resolve names,
>regardless whether you have the rule or not. Since you only
>allow outgoing DNS queries but not the related incoming
>response back. So you need to add at least the following:
>
>-A INPUT -i eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

Or rather, replace the original
-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
with
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

.... so, lose the protocol check completely. The above already will drop
packets that are not somehow related to already established connections.
Limiting protocols in this is just a way of breaking ones own networking
functionality (as some information related to error conditions of TCP
and UDP traffic is passed by various ICMP subtypes).
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Juha Laiho <Juha.Laiho@iki.fi> wrote:

> Horst Knobloch <horschti2@gmx.de> said:
>>Richard <emrebalci@yahoo.com> wrote:
>>
[...]
> Or rather, replace the original
> -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> with
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ... so, lose the protocol check completely.

Yes, that's better of course.

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn