|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
RE: [PLUG] Re: FW: BIND troubleshooting / help
|
Resolved!
<snip>
--> > --> kaze wrote:
--> > -->
--> > --> >Is it possible IPtables on the machines is somehow to blame?
--> > --> >
--> > --> >What can I do next to troubleshoot?
--> > --> >
<snip>
--> seem sure, so I mentioned it again for clarity. From your trace
--> in the previous
--> message it looks to me like you have something blocked. It is
--> hard to tell for
--> sure without sniffing the packets with tcpdump or something.
--> You do not have
--> iptables turned on, on the nameservers do you??
-->
--> --
--> ......Tom Registered Linux User #14522
<snip>
Yes, I did have iptables on and locked down too tight, among other
configuration errors. When I did these installs during the Red Hat setup on
the firewall configuration screens I choose the high security level, and
opened ports for ssh and in the other ports field put in some entries for
DNS. At the time I found how to do the syntax for opening tcp 53 _and_ udp
53 - but I just searched for 15 min and can't find it again, I vaguely
remember something like "tcp:53 udp:53"
I think the reloads and updates are working now that I went back into lokkit
and choose no firewall. Here is the log after rndc reload gh-systems.com.
[root@IMDMZDNS2 root]#
[root@IMDMZDNS2 root]# tail /var/log/messages -n 8
Aug 6 18:40:56 IMDMZDNS2 sshd(pam_unix)[7670]: session opened for user root
by (uid=0)
Aug 6 18:41:15 IMDMZDNS2 named[6230]: loading configuration from
'/etc/named.conf'
Aug 6 18:41:15 IMDMZDNS2 named[6230]: no IPv6 interfaces found
Aug 6 18:41:15 IMDMZDNS2 named[6230]: zone 0.0.127.in-addr.arpa/IN:
transfered serial 1
Aug 6 18:41:15 IMDMZDNS2 named[6230]: transfer of '0.0.127.in-addr.arpa/IN'
from 10.10.10.213#53: end of transfer
Aug 6 18:42:18 IMDMZDNS2 named[6230]: zone gh-systems.com/IN: transfered
serial 2003080501
Aug 6 18:42:18 IMDMZDNS2 named[6230]: transfer of 'gh-systems.com/IN' from
10.10.10.213#53: end of transfer
Aug 6 18:42:18 IMDMZDNS2 named[6230]: zone gh-systems.com/IN: sending
notifies (serial 2003080501)
[root@IMDMZDNS2 root]#
[root@IMDMZDNS2 root]#
Kewl.
This is the iptable lokkit setup with my setting which allowed a dig axfr
but blocked named from doing it itself:
[root@IMDMZDNS1 root]# cat /etc/sysconfig/iptables
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.1.1.42 --sport 53 -d 0/0 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.1.1.53 --sport 53 -d 0/0 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 146.145.64.2 --sport 53 -d 0/0 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT
[root@IMDMZDNS1 root]#
I would like to have iptables up and on, open for only all this DNS stuff,
and ssh; but as the Ciscos there...
- Zake
_________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|