Firewall [SOLVED]: added dns port to iptables but it's not open CentOS 7

Firewall [SOLVED]: added dns port to iptables but it's not open CentOS 7

Home Forums Firewall Firewall [SOLVED]: added dns port to iptables but it's not open CentOS 7

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #32647

    Anonymous

    QuestionQuestion

    I added the dns server ports to iptables and even the named service is listening on it when I check it with netstat but when I check the port from outside it’s closed.

    iptables -n -L => output:

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53
    

    netstat -lnp => output:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      11222/named         
    tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      652/master          
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1357/nginx: master  
    tcp        0      0 123.123.123.123:53       0.0.0.0:*               LISTEN      11222/named         
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      11222/named         
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      585/sshd            
    tcp6       0      0 ::1:953                 :::*                    LISTEN      11222/named         
    tcp6       0      0 ::1:25                  :::*                    LISTEN      652/master          
    tcp6       0      0 :::3306                 :::*                    LISTEN      10529/mysqld        
    tcp6       0      0 :::80                   :::*                    LISTEN      1357/nginx: master  
    tcp6       0      0 :::53                   :::*                    LISTEN      11222/named         
    tcp6       0      0 :::22                   :::*                    LISTEN      585/sshd            
    udp        0      0 123.123.123.123:53       0.0.0.0:*                           11222/named         
    udp        0      0 127.0.0.1:53            0.0.0.0:*                           11222/named         
    udp6       0      0 :::53                   :::*                                11222/named         
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
    unix  2      [ ACC ]     STREAM     LISTENING     11177    652/master           private/verify
    unix  2      [ ACC ]     STREAM     LISTENING     11180    652/master           public/flush
    unix  2      [ ACC ]     STREAM     LISTENING     11183    652/master           private/proxymap
    unix  2      [ ACC ]     STREAM     LISTENING     11186    652/master           private/proxywrite
    unix  2      [ ACC ]     STREAM     LISTENING     27726    10529/mysqld         /var/lib/mysql/mysql.sock
    unix  2      [ ACC ]     STREAM     LISTENING     11189    652/master           private/smtp
    unix  2      [ ACC ]     STREAM     LISTENING     11192    652/master           private/relay
    unix  2      [ ACC ]     STREAM     LISTENING     11195    652/master           public/showq
    unix  2      [ ACC ]     STREAM     LISTENING     11198    652/master           private/error
    unix  2      [ ACC ]     STREAM     LISTENING     11201    652/master           private/retry
    unix  2      [ ACC ]     STREAM     LISTENING     11204    652/master           private/discard
    unix  2      [ ACC ]     STREAM     LISTENING     11272    325/acpid            /var/run/acpid.socket
    unix  2      [ ACC ]     STREAM     LISTENING     11207    652/master           private/local
    unix  2      [ ACC ]     STREAM     LISTENING     11210    652/master           private/virtual
    unix  2      [ ACC ]     STREAM     LISTENING     11213    652/master           private/lmtp
    unix  2      [ ACC ]     STREAM     LISTENING     11216    652/master           private/anvil
    unix  2      [ ACC ]     STREAM     LISTENING     11219    652/master           private/scache
    unix  2      [ ACC ]     STREAM     LISTENING     14096    1082/php-fpm: maste  /run/php-fpm/php-fpm.sock
    unix  2      [ ACC ]     STREAM     LISTENING     11151    652/master           public/pickup
    unix  2      [ ACC ]     STREAM     LISTENING     9051     1/systemd            /var/run/dbus/system_bus_socket
    unix  2      [ ACC ]     SEQPACKET  LISTENING     13690    1/systemd            /run/udev/control
    unix  2      [ ACC ]     STREAM     LISTENING     13253    1/systemd            /run/systemd/private
    unix  2      [ ACC ]     STREAM     LISTENING     7127     1/systemd            /run/systemd/journal/stdout
    unix  2      [ ACC ]     STREAM     LISTENING     11155    652/master           public/cleanup
    unix  2      [ ACC ]     STREAM     LISTENING     11158    652/master           public/qmgr
    unix  2      [ ACC ]     STREAM     LISTENING     11162    652/master           private/tlsmgr
    unix  2      [ ACC ]     STREAM     LISTENING     11165    652/master           private/rewrite
    unix  2      [ ACC ]     STREAM     LISTENING     11168    652/master           private/bounce
    unix  2      [ ACC ]     STREAM     LISTENING     11171    652/master           private/defer
    unix  2      [ ACC ]     STREAM     LISTENING     11174    652/master           private/trace
    

    any Idea how to fix this?

    #32648

    Anonymous

    Accepted AnswerAnswer

    To fix you have to do the following:

    iptables-save > temp.ruleset
    
    vi temp.ruleset
    

    find the line with -j REJECT, there’s only one.

    Move it two lines down, below the two udp rules.

    Save with :wq.

    Reload the edited ruleset with iptables-restore < temp.ruleset

    Please in the future add rules with iptables -I (rule position number) rather than with iptables -A, as you’re blocking with this input reject rule anything below it will be blocked.

    Source: https://serverfault.com/questions/882093/added-dns-port-to-iptables-but-its-not-open-centos-7
    Author: Marco
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.