Hi, It's just past 3am and for the past 6 hours I've been configuring a secondary name server to replace one that just crashed. My problem appears to be that port 53 is not open for some reason on my server even though I have this:
[root@tribe etc]# netstat -an | grep ":53 " tcp 0 0 205.211.154.3:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN udp 0 0 205.211.154.3:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 205.211.154.3:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 205.211.154.3:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 205.211.154.3:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 205.211.154.3:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 205.211.154.3:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:*
But with a test from http://www.yougetsignal.com/tools/open-ports/ it says port 53 is closed.
I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
I'm not using iptables (well I didn't configure any)
[root@tribe log]# iptables --line-numbers -n -L Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) num target prot opt source destination
Currently this server is not behind any type of firewall.
Can someone suggest something I have forgotten?
TIA, Shane
Shane Bywater wrote:
Hi, It's just past 3am and for the past 6 hours I've been configuring a secondary name server to replace one that just crashed. My problem appears to be that port 53 is not open for some reason on my server even though I have this:
[root@tribe etc]# netstat -an | grep ":53 " tcp 0 0 205.211.154.3:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN udp 0 0 205.211.154.3:53 0.0.0.0:*
{snip}
But with a test from http://www.yougetsignal.com/tools/open-ports/ it says port 53 is closed.
I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
I'm not using iptables (well I didn't configure any)
{snip}
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
{snip}
Can someone suggest something I have forgotten?
TIA, Shane
I think iptables rule 5 is stopping DNS.
I can 'see' your ICMP (ping) and SSH are open from here.
I've not used Centos 6 in production yet but try entering:-
iptables -I INPUT 4 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 4 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
hopefully that will fix it
YMMV
Ken
Ken Smith wrote:
Shane Bywater wrote:
Hi, It's just past 3am and for the past 6 hours I've been
iptables -I INPUT 4 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 4 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Ken
Obviously those commands are all on one line
so the '--state' is followed by 'NEW,' and not line wrapped as in this e-mail
:-) Ken
On 02/01/2012 10:01 AM, Ken Smith wrote:
Shane Bywater wrote:
Hi, It's just past 3am and for the past 6 hours I've been configuring a secondary name server to replace one that just crashed. My problem appears to be that port 53 is not open for some reason on my server even though I have this:
[root@tribe etc]# netstat -an | grep ":53 " tcp 0 0 205.211.154.3:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN udp 0 0 205.211.154.3:53 0.0.0.0:*
{snip}
But with a test from http://www.yougetsignal.com/tools/open-ports/ it says port 53 is closed.
I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
I'm not using iptables (well I didn't configure any)
{snip}
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
{snip}
Can someone suggest something I have forgotten?
TIA, Shane
I think iptables rule 5 is stopping DNS.
I can 'see' your ICMP (ping) and SSH are open from here.
I've not used Centos 6 in production yet but try entering:-
iptables -I INPUT 4 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 4 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
You only want "--state NEW". The related/established bit is handled by rule 1 in the INPUT chain.
Regards, Dennis
On 02/01/2012 12:14 AM, Shane Bywater wrote:
I'm not using iptables (well I didn't configure any)
[root@tribe log]# iptables --line-numbers -n -L Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
You should figure out who/what did, then. Those rules don't look like they were created by Red Hat's tools (where you'd see RH-Firewall...), and won't be present by default. Something created rules and the rules don't allow access to TCP or UDP 53 (you need both).
For now, just flush the rules: iptables -F INPUT
-
Dennis Jacobfeuerborn -
Gordon Messmer -
Ken Smith -
Shane Bywater