topic Re: iptables is blocking rndc in Operating System - Linux

iptables is blocking rndc

tpfraz — Sat, 26 Jul 2003 03:33:09 GMT

Hi,
I'm having some problems configuring iptables on my name server.
I have bind 9.2.1 on RedHat 8 with iptables 1.2.6a.

I recently tried to configure iptables to allow only ssh and bind to come through on the INPUT. I have destination port 22 and 53 open on both tcp and udp. I also have tcp port 953 open for rndc.
I then have the default policy for INPUT set to DROP.
I have no rules set in either OUTPUT or FORWARD and they both have a default policy of ACCEPT.

When I try to use rndc, it tries to connect but then times out after a while.
If I change the default policy of INPUT to ACCEPT then everything works fine.

Is there something I am missing? Is there another port I need to open.
rndc and bind is of course on the same machine.

Also, when I have these settings in iptables and I try to ssh to the machine. It takes about 10 seconds before the login banner appears on screen.
But again if I set default policy for INPUT to ACCEPT, then all is well again...

Any ideas?
Thanks in advance...

-Travis

Re: iptables is blocking rndc

Khalid A. Al-Tayaran — Sat, 26 Jul 2003 05:12:43 GMT

Hi,

did you try: ntsysv ??

Re: iptables is blocking rndc

U.SivaKumar_2 — Sat, 26 Jul 2003 05:52:59 GMT

Hi,

It seems that you have given the iptables -A INPUT accept rule for rndc after you gave iptables default DROP rule.

Order is important.

Flush iptables input rules and give all the accept rules one by one ( iptables -A INPUT ) and atlast the default DROP rule.

Also check whether rndc is running or not and if running confirm the exact port.

#lsof -i | grep rndc

regards,
U.SivaKumar

Re: iptables is blocking rndc

tpfraz — Sat, 26 Jul 2003 06:51:24 GMT

I added the default DROP policy last,
and I added it as a policy and not a normal rule.

iptables -P INPUT DROP

I don't think order matter as far as policies are concerned.

-Travis

Re: iptables is blocking rndc

Avinoam — Sun, 27 Jul 2003 05:08:06 GMT

you should also add a rule to your INPUT chain the enable established sessions back to you:
add the folowing rule as your first rule in the INPUT chain

iptables -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT

this one should do the trick ,all the already established and realted session will be eblae to continue the communication with your pc.

Re: iptables is blocking rndc

tpfraz — Sun, 27 Jul 2003 06:31:57 GMT

Avinoam,
Thank you, a perfect fix...
Those rules fixed both the rndc not working and the ssh login taking a long time.
Thanks again.

-Travis

Re: iptables is blocking rndc

Avinoam — Sun, 27 Jul 2003 06:57:13 GMT

happy to hear that it helped :-)