Sorry, kind of a dumb question. I'm trying to open a port to allow DNS traffic (port 53, UDP and TCP). I tried a quick nmap from outside my network, and though the tcp port shows up open, there's no reading from the udp port. How can I tell if I've opened the port correctly? Here's what I think is the relevant output from 'service iptables status' - does this look right? Thanks much...
Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 17 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Hi Peter,
I'm no expert, but as far as i know UDP is stateless .... so inspection of flags like NEW would be meaningless.
Lets see wot other's say
Peter Horst wrote:
Sorry, kind of a dumb question. I'm trying to open a port to allow DNS traffic (port 53, UDP and TCP). I tried a quick nmap from outside my network, and though the tcp port shows up open, there's no reading from the udp port. How can I tell if I've opened the port correctly? Here's what I think is the relevant output from 'service iptables status' - does this look right? Thanks much...
Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 17 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
maybe you can try using telnet to the specific port e.g $telnet server_ip 53
--jo-- Peter Horst wrote:
Sorry, kind of a dumb question. I'm trying to open a port to allow DNS traffic (port 53, UDP and TCP). I tried a quick nmap from outside my network, and though the tcp port shows up open, there's no reading from the udp port. How can I tell if I've opened the port correctly? Here's what I think is the relevant output from 'service iptables status' - does this look right? Thanks much...
Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 17 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Johannes Christian wrote:
maybe you can try using telnet to the specific port e.g $telnet server_ip 53
telnet uses TCP so that won't help for checking UDP.
The reason for opening port 53 is presumably because you have a DNS server running that you want to be able to access from outside?
If so, just try doing a DNS lookup on one of the zones served by your server from outside your network:
$ dig @your.server some.hostname
Paul.
Peter Horst schrieb:
Sorry, kind of a dumb question. I'm trying to open a port to allow DNS traffic (port 53, UDP and TCP). I tried a quick nmap from outside my network, and though the tcp port shows up open, there's no reading from the udp port. How can I tell if I've opened the port correctly? Here's what I think is the relevant output from 'service iptables status' - does this look right? Thanks much...
Did you do an UDP nmap scan?
nmap -sU -p53 <target_host>
Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Both TCP and UDP port 53 open - not state dependent.
8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
Again opened port 53 TCP/UDP - here just for state NEW.
17 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
One of the settings isn't necessary. From the rule to allow all with state RELATED,ESTABLISHED you would only need to explicitly allow state NEW for port 53, given you run a public nameservice.
Alexander
Alexander Dalloz wrote:
Peter Horst schrieb:
Sorry, kind of a dumb question. I'm trying to open a port to allow DNS traffic (port 53, UDP and TCP). I tried a quick nmap from outside my network, and though the tcp port shows up open, there's no reading from the udp port. How can I tell if I've opened the port correctly? Here's what I think is the relevant output from 'service iptables status' - does this look right? Thanks much...
Did you do an UDP nmap scan?
nmap -sU -p53 <target_host>
Thank you for the assistance, all. I did this UDP scan as indicated and it came back "open|filtered." Sounds right?
Peter
Peter Horst schrieb:
Thank you for the assistance, all. I did this UDP scan as indicated and it came back "open|filtered." Sounds right?
Peter
Yes. You could improve the nmap scan by using "-sU -sV" as parameters. And if you do as advised by Paul
dig <domain_in_your_zones> @<public_IP_of_your_DNS>
you can make sure the nameserver responds bravely.
Alexander
-
Alexander Dalloz -
Brian Chadwick -
Johannes Christian -
Paul Howarth -
Peter Horst