Re: BIND issues, server not responding

Feizhou <feizhou@xxxxxxxxxxxx> · Thu, 23 Aug 2007 23:13:36 +0800

Chain RH-Firewall-1-INPUT (2 references)

ugh. I absolutely detest the tool behind this.

This is what I do.

Trusted interfaces like lo and networks go first and then packets 
belonging to established connections are shorted which leaves connection 
requests to be branched out into tcp, udp and icmp chains. Further 
branching can then be done as desired. Eg: If you firewall a lot of spam 
sources, you could test for smtp packets going to port 25 and branch 
those out to another chain that deals solely with the spam sources and 
spare other connection requests having to go through rules that they are 
definitely not going to match.

iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  10.9.0.0/17          0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED
tcp_packets  tcp  --  0.0.0.0/0            0.0.0.0/0
udp_packets  udp  --  0.0.0.0/0            0.0.0.0/0
icmp_packets  icmp --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain icmp_packets (1 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8

Chain tcp_packets (1 references)
target     prot opt source               destination
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
reject-with tcp-reset
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993 
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143 
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587 
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465 
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:1194
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
tcp dpt:110

Chain udp_packets (1 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW 
udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:123
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos