Thanks Ted for the pointers, I'll give it a shot. Only really because ziegler recommends it. It's early days though and at the moment I'm almost bordering on setting default policies to ACCEPT just to get the stupid DNS resolution working. Just to clarify the status it's the other way round --- I just want the box to be able to look up DNS, it's not running DNS itself. So by inference all I should do is change INPUT to OUTPUT on your example? Thanks to george in edinburgh also for the advice re: resolving dns via tcp, I will allow that too. Fingers crossed ... steve -----Original Message----- From: Ted Kaczmarek [mailto:tedkaz@xxxxxxxxxxxxx] Sent: 30 October 2003 12.04 To: Knight, Steve Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: first time set up Any particular reason you want default output drop? That is a lot of overhead unless the box is only a dns server than your train of thought is ok. Also you need iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT you could specify as well the interface like so -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT Ted On Thu, 2003-10-30 at 06:50, Knight, Steve wrote: > Hi there --- > > Once I've got the normal stuff in place on a test standalone box [default > drop, accept related + established on tcp, loopback enabled] > > iptables -A OUTPUT -p udp -s $LOCALIP -d $DNS1 --dport 53 -j ACCEPT > > Shouldn't this be enough to allow standard dns resolution to take place? > According to Ziegler, it should? > > Or am I a complete plum. > > Any pointers as to my plumness gratefully received. Thanks :) > > steve > > > > ----------------------------------------------------------------------- > Information in this email may be privileged, confidential and is > intended exclusively for the addressee. The views expressed may > not be official policy, but the personal views of the originator. > If you have received it in error, please notify the sender by return > e-mail and delete it from your system. You should not reproduce, > distribute, store, retransmit, use or disclose its contents to anyone. > > Please note we reserve the right to monitor all e-mail > communication through our internal and external networks. > ----------------------------------------------------------------------- -- Ted Kaczmarek<tedkaz@xxxxxxxxxxxxx> 18 Packanack Lake Road Wayne, NJ, 07470 973-633-6892 AIM-tedhurrah Yahoo-oasysted .
