New on LowEndTalk? Please Register and read our Community Rules.
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Categories
- 2008-2021 © LowEndBox & LowEndTalk. Privacy Policy. Powered by Vanilla.
Back to Top | LowEndTalk | LowEndBox | Dark Theme Config | Advertise
Comments
What about hosting your DNS on cloudflare for free. more radical but would offload your server ;-)
You should allow what you want first and block the rest.
Yep iptables order is key for any rules.
but isn't it more secure to drop all first then allow what you need?
Before you do that; make damn sure you allow SSH.
As long as the walk to the data center is on a sunny day
This depends on how the list is processed. Usually the first applicable entry stops it. So first you list all items you want to allow and then have a default deny entry.
You're saying it, if you drop all of it first, how can you decide which was allowed and which wasn't? I'm not really familiar with iptables rules order but allow-drop makes more sense.
I always have input/output/forward chains drop on the top, then starts to allow tcp ports. What I'm trying to do is to put
before allow dns udp port which does not work unless I put allow dns udp before drop all udp.
@introducial depends on your need and what app you are running. generally for a web server, it only needs 80, 21. The more you develop your server, the more you know what you need to open.
That's how iptables/netfilter works. It matches the first rule it finds, and in this case, it will find the "drop udp packets" rule before the one allowing a specific kind of traffic.
The "-A" switch appends the rule to the bottom of the chain, while the "-I" one will add the rule to the top of the chain. Try adding your "allow udp port" rule with "-I" and see if it works for you.
@qrwteyrutiyoup if I use -I, it's not really different than I manually put allow udp dns rules before block all udp rules.
Exactly, and that's the point. If the rule allowing it isn't before the one denying it, it will be denied, since that will be the rule iptables will match against.
just keep the default policy rules
add these:
iptables -A OUTPUT -p udp –dport 53 –sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp –dport 53 –sport 1024:65535 -j ACCEPT
hope it could help
@namhuy: Maybe you can accomplish what you want by changing the chain policy to drop and then allowing the traffic you want (tcp + udp53)?
@qrwteyrutiyoup I think I got this now
I misunderstood iptables chain and iptables rules. Normally I have all chains drop, and allow rules under chain.
those are rules so yeah it follows rules order
BIG thanks from me