Great article on Linux iptables block or open DNS/bind service port 53, except it’s more complicated than it needs to be.
Like all of you out there I run my own Domain Name Service (DNS) on the home network, because I can.
After putting it off for over a decade, I finally decided it was time to master iptables. In previous articles I’ve dealt with how to configure for simple services and to redirect ports.
Setting up the necessary iptables rules for a DNS server (in my case the ubiquitous bind from the Internet Software Consortium) isn’t rocket science, but does require a bit of care.
Here are the commands to open the required ports:
iptables -I INPUT -p tcp --dport 53 -j ACCEPT iptables -I INPUT -p udp --dport 53 -j ACCEPT
Note: DNS clients use udp, while communications between servers (e.g. zone transfers) are done over tcp.
The “-I” or “–insert” option will cause these rules to be inserted at the top of the INPUT chain, before any other directives — including any REJECTs — which is exactly where they need to be.
After saving to /etc/sysconfig/iptables (using “iptables-save >/etc/sysconfig/iptables”), you may want to go in any tidy things up a bit so the “*filter” section of the file looks something like this:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [907:110531] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
The most important thing is to make sure your ACCEPTs come before any REJECTs, otherwise you may find clients can’t get through to the service.