Help with iptables for a DNS server.
Hello everyone, I hope all of you are having a great day!
I have a dnsmasq server open to public internet in a VPS because I like to make custom domain modifications there. But many ips connected to my server is reducing my network speed. That is why I want' to limit the use of my dnsmasq server to specific Ips. Since i use many vpns, specifying ips will filter my traffic neatly. So I added some rules to the INPUT openvpn ip rules I used for my VPN to block all traffic except SSH, VPN and port 53. In the code I replaced some ips for privacy, IP1 is the ip of my other VPN (which is not the current server), IP2 is the Ip of a server. And SERVERIP is the current server IP. I'm using Ubuntu Jammy Jellyfish with the DNSMasq. I used some code I found on internet, because by simple logic, if "/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT" it just working for SSH, something similar must work for DNS just replacing the port. But then tried another code that also included sport and state. I added the 8.8.8.8 which is the Google DNS nameserver, i don't think it goes here but it won't harm the rule adding it. Code:
[Unit] Code:
dig @SERVERIP google.com Code:
;; communications error to SERVERIP#53: timed out What I'm doing wrong? |
Not exactly sure what's wrong with your setup (other than the misspelling of "ExecStart" in two places), as you seem to have gotten the port numbers correct. But your ruleset is very strangely ordered and lacks at least one vital component, which may or may not affect the operations of the DNS server:
My suggestions: Code:
[Unit] Also, bear in mind that the server will return an error if the DNS reply doesn't fit inside a single UDP packet, and the client will then switch to TCP/53 which your current ruleset doesn't allow. |
Quote:
The first thing I did was to correct the ExecStart entries I had wrong, and moved the lines like your suggested code, and added the rule for lo interface as well, it was very important the Accept policy in Output. Everything is well with your code, but then I had issues and solved adding this additional line before the Input drop: Code:
ExecStart=/usr/sbin/iptables -I INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT |
All times are GMT -5. The time now is 06:44 AM. |