[Unbound-users] Unbound and firewall

Gábor Lénárt lgb at lgb.hu
Thu Nov 29 16:29:41 UTC 2012


On Thu, Nov 29, 2012 at 03:59:49PM +0000, Ricardo Fraile wrote:
>    I try to put iptables in the same server that unbound but I can't do a local resolv:
> dig terra.es @
> ; <<>> DiG 9.7.3 <<>> terra.es @
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> whit this iptables rules:
> :OUTPUT ACCEPT [2271:2106405]
> -A INPUT -s -p tcp -j ACCEPT 
> -A INPUT -s -p udp -j ACCEPT 
> -A INPUT -s -p icmp -j ACCEPT 
> -A INPUT -s -p udp -j ACCEPT 
> -A INPUT -s -p tcp -j ACCEPT 
> -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT 
> If I clean the firewall, all works, but why? Which ports use unbound for the queries?

As far as I can see, you haven't enabled the connection tracking about
"established" UDP "connections" (because you only used tcp).  Yeah,
UDP is not a connection oriented protocol, but still connection tracking of
netfilter builds some kind of conntrack entries on UDP connections as well. 
Also, some kind of answers can be even icmp messages, which won't be enabled
either if you restrict your netfilter rules do only do RELATED,ESTABLISHED
states for TCP and not for other protocols.



So, without specifying "tcp", then it will work for the other cases as well,
what I mentioned.

Also, before DROP, you can have this:

-A INPUT -j LOG --log-prefix "netfilter-drop: "

Then use command dmesg (or your kernel log) about messages. Maybe you can
use ULOG target as well (with --ulog-prefix then, though) but in that case
you should use something which can log using netlink sockets (if I remember
correctly by heart) eg ulogd daemon.

What can I guess: if you query your unbound on localhost it won't be
restirected by your rules, but maybe your unbound want to use UDP to query
authoritative nameservers using UDP, and the answers for those could be
blocked by your rules.

Just some hints, I can be wrong here ...

More information about the Unbound-users mailing list