dns服务器的防火墙设置问题
本帖最后由 ld1978 于 2012-11-16 16:21 编辑我的防火墙作了以下设置,但客户机在开启防火墙时不能解析公网,而关闭防火墙时,就可以解析公网了,大家帮忙看一下,防火墙还需要设置什么?
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-smtptcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:25
fail2ban-SSHtcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:22
fail2ban-httpdtcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:80
fail2ban-pop3tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:110
RH-Firewall-1-INPUTall--0.0.0.0/0 0.0.0.0/0
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT icmp --0.0.0.0/0 0.0.0.0/0
ACCEPT all--0.0.0.0/0 0.0.0.0/0
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp spt:53
ACCEPT udp--0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT udp--0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUTall--0.0.0.0/0 0.0.0.0/0
ACCEPT tcp--0.0.0.0/0 172.16.1.9 tcp dpt:80
ACCEPT tcp--172.16.1.9 0.0.0.0/0 tcp spt:80
ACCEPT tcp--0.0.0.0/0 172.16.1.9 tcp dpt:22
ACCEPT tcp--172.16.1.9 0.0.0.0/0 tcp spt:22
ACCEPT icmp --0.0.0.0/0 172.16.1.9
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp --0.0.0.0/0 0.0.0.0/0
ACCEPT all--0.0.0.0/0 0.0.0.0/0
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp spt:53
ACCEPT udp--0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT udp--0.0.0.0/0 0.0.0.0/0 udp dpt:53
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all--0.0.0.0/0 0.0.0.0/0
ACCEPT icmp --0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp--0.0.0.0/0 0.0.0.0/0
ACCEPT ah --0.0.0.0/0 0.0.0.0/0
ACCEPT udp--0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp--0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT all--0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
REJECT all--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 1480/amavisd (maste
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 1603/master
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1456/mysqld
tcp 0 0 0.0.0.0:10028 0.0.0.0:* LISTEN 1493/dspamd
tcp 0 0 127.0.0.1:10030 0.0.0.0:* LISTEN 1690/slockd (master
tcp 0 0 127.0.0.1:10800 0.0.0.0:* LISTEN 1674/mini_httpd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1613/httpd
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 1603/master
tcp 0 0 172.16.1.9:53 0.0.0.0:* LISTEN 1252/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1252/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1291/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1603/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1252/named
tcp 0 0 :::110 :::* LISTEN 1520/couriertcpd
tcp 0 0 :::143 :::* LISTEN 1507/couriertcpd
tcp 0 0 ::1:10800 :::* LISTEN 1674/mini_httpd
tcp 0 0 ::1:53 :::* LISTEN 1252/named
tcp 0 0 :::22 :::* LISTEN 1291/sshd
tcp 0 0 ::1:953 :::* LISTEN 1252/named
tcp 0 0 :::993 :::* LISTEN 1514/couriertcpd
tcp 0 0 :::995 :::* LISTEN 1526/couriertcpd
udp 0 0 172.16.1.9:53 0.0.0.0:* 1252/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 1252/named
udp 0 0 ::1:53 :::* 1252/named
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp spt:53
ACCEPT udp--0.0.0.0/0 0.0.0.0/0 udp dpt:53
这两个规则,放到RH-Firewall-1-INPUT链里面REJECT all--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 规则前面,否则象你那样,是不会生效的,都被REJECT all--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 规则给drop掉了 DNS服务器上的防火墙开发UDP/TCP:53端口 即可 已经可以了,谢谢二楼的。。。。 目的端口tcpudp 53 都开了。就行了
页:
[1]