Skip to main content

Allow tinydns service through iptables firewall

If you use iptables and want to allow tinydns service answer iterative requests:

Note: Tinydns serves from 192.168.1.10 change yours accordingly, and INPUT number may vary for your list of rules.

# iptables -I INPUT 7 -p udp -s 0/0 --sport 1024:65535 -d 192.168.1.10 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p udp -s 192.168.1.10 --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# iptables -I INPUT 8 -p udp -s 0/0 --sport 53 -d 192.168.1.10 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p udp -s 192.168.1.10 --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

# service iptables save

After saving rules, iptables --list command should give a list of rules like this:

# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:vnc-server
ACCEPT udp -- anywhere anywhere state NEW udp dpt:vnc-server
ACCEPT udp -- anywhere 192.168.1.10 udp spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT udp -- anywhere 192.168.1.10 udp spt:domain dpt:domain state NEW,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 192.168.1.10 anywhere udp spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- 192.168.1.10 anywhere udp spt:domain dpt:domain state ESTABLISHED


Comments

Popular posts from this blog

Find and replace with sed command in Linux

Find and replace feature is always handy. It can turn into a torture when it comes to change or delete a simple constant string in a text file. There is a handy tool in linux for doing these kind of tihngs. Actually sed is not a text editor but it is used outside of the text file to make changes.

Sending Jboss Server Logs to Logstash Using Filebeat with Multiline Support

In addition to sending system logs to logstash, it is possible to add a prospector section to the filebeat.yml for jboss server logs. Sometimes jboss server.log has single events made up from several lines of messages. In such cases Filebeat should be configured for a multiline prospector.
Filebeat takes lines do not start with a date pattern (look at pattern in the multiline section "^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}" and negate section is set to true) and combines them with the previous line that starts with a date pattern.

server.log file excerpt where DatePattern: yyyy-MM-dd-HH and ConversionPattern: %d %-5p [%c] %m%n
Logstash filter: