DNS server local firewall rules

Great article on Linux iptables block or open DNS/bind service port 53, except it’s more complicated than it needs to be.

Like all of you out there I run my own Domain Name Service (DNS) on the home network, because I can.

After putting it off for over a decade, I finally decided it was time to master iptables. In previous articles I’ve dealt with how to configure for simple services and to redirect ports.

Setting up the necessary iptables rules for a DNS server (in my case the ubiquitous bind from the Internet Software Consortium) isn’t rocket science, but does require a bit of care.

Here are the commands to open the required ports:

iptables -I INPUT -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT

Note: DNS clients use udp, while communications between servers (e.g. zone transfers) are done over tcp.

The “-I” or “–insert” option will cause these rules to be inserted at the top of the INPUT chain, before any other directives — including any REJECTs — which is exactly where they need to be.

After saving to /etc/sysconfig/iptables (using “iptables-save >/etc/sysconfig/iptables”), you may want to go in any tidy things up a bit so the “*filter” section of the file looks something like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [907:110531]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

The most important thing is to make sure your ACCEPTs come before any REJECTs, otherwise you may find clients can’t get through to the service.

This entry was posted in Uncategorized on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).