I have 3 nodes with virtually the same iptables rules loaded from a bash script, but one particular node is blocking traffic on port 53 despite listing it's accepting it:
$ iptables –list -v
Chain INPUT (policy DROP 8886 packets, 657K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
2 122 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
20738 5600K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 any anywhere node1.com multiport dports http,smtp
0 0 ACCEPT udp -- eth1 any anywhere ns.node1.com udp dpt:domain
0 0 ACCEPT tcp -- eth1 any anywhere ns.node1.com tcp dpt:domain
0 0 ACCEPT all -- eth0 any node2.backend anywhere
21 1260 ACCEPT all -- eth0 any node3.backend anywhere
0 0 ACCEPT all -- eth0 any node4.backend anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15804 packets, 26M bytes)
pkts bytes target prot opt in out source destination
nmap -sV -p 53 ns.node1.com // From remote server
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-02-24 11:44 EST Interesting ports on ns.node1.com (1.2.3.4): PORT STATE SERVICE VERSION 53/tcp filtered domain Nmap finished: 1 IP address (1 host up) scanned in 0.336 seconds
Any ideas?
Thanks
Best Answer
I notice that zero packets have actually reached your
iptablesACCEPT rules for DNS. I think it is likely that youriptablesrules are specifying an inconsistent combination of conditions that never match incoming DNS queries.In your case, your DNS ACCEPT rules specify that the incoming interface must be
eth1, and the destination IP address must resolve tons.node1.com. You should check whether incoming DNS queries tons.node1.comcan ever arrive over theeth1network interface.Another possibility is that you have another packet filter somewhere between your test client and your server that is blocking DNS packets.