Peter Horst schrieb:
Sorry, kind of a dumb question. I'm trying to open a port to allow
DNS traffic (port 53, UDP and TCP). I tried a quick nmap from outside
my network, and though the tcp port shows up open, there's no reading
from the udp port. How can I tell if I've opened the port correctly?
Here's what I think is the relevant output from 'service iptables
status' - does this look right? Thanks much...
Did you do an UDP nmap scan?
nmap -sU -p53 <target_host>
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp
dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:53
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:53
Both TCP and UDP port 53 open - not state dependent.
8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:631
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:631
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:25
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:443
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
Again opened port 53 TCP/UDP - here just for state NEW.
17 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
One of the settings isn't necessary. From the rule to allow all with
state RELATED,ESTABLISHED you would only need to explicitly allow state
NEW for port 53, given you run a public nameservice.
Alexander