Pro-Test available, for just build a DNS server, need to open the firewall but do not know how to set up friends, you can refer to the following, or directly using the script I gave below.
If the server is used as a DNS server, for the vast majority of cases, in order to open the firewall at the same time to provide the relevant services, the general settings are as follows:
"1" first step: Clear the default firewall rule
Iptables-fiptables-xiptables-z
• Parameter Description:
-F: Clears all established rules
-X: Clears all user-defined chain (should be said to be tables)
(Extension: Table--linux iptables firewall default has three kinds of tables, filter, Nat and mangle, of course, also have custom, where filter is the default table, chain--chain, such as filter has input, OUTPUT, forward three chain)
-Z: Zero Count of all chain and flow statistics
• Set the cause:
Filter in the three chain, the default policy is accept, obviously for input, this is very dangerous, you can use the command iptables-l-N to view the default settings, or use the Iptables-save command (will list more detailed firewall configuration information).
"2" Step Two: Set policy
Iptables-p INPUT dropiptables-p OUTPUT acceptiptables-p FORWARD ACCEPT
• Set the cause:
Drop is discarded, as indicated by 1, the input policy is more secure when it is set to drop.
"3" Step three: Develop the rules according to the required services
(1) Set this machine as a trusted device
Iptables-a input-i lo-j ACCEPT
(2) Making SSH remote connection rules
Iptables-a (ADD) INPUT (link)-p (Specify protocol) TCP (specified as TCP protocol)--dport (specify destination port number) 22 (Specify target port number)-j (Specify operation) accept (Specify operation for accept)
(3) Establish DNS service rules
Iptables-a input-p TCP--dport 53-j acceptiptables-a input-p UDP--dport 53-j acceptiptables-a input-p TCP--sport 53-j acceptiptables-a input-p TCP--sport 53-j ACCEPT
Description
Allows new DNS requests, while allowing Nslookup to query the server for DNS information 53来 the source port number.
(4) Making other rules
Iptables-a input-p icmp-j ACCEPT
Description
No, but in order to conveniently detect the network connectivity of the server, it is added.
"4" Write to firewall configuration file
/etc/init.d/iptables Save
Description
To save, the above configuration will be invalidated after restarting the server.
The complete execution script is as follows:
#!/bin/bashpath=/sbin:/bin:/usr/sbin:/usr/bin; Export pathiptables-fiptables-xiptables-ziptables-p INPUT dropiptables-p OUTPUT acceptiptables-p FORWARD acceptiptab Les-a input-i lo-j acceptiptables-a input-p tcp--dport 22-j acceptiptables-a input-p tcp--dport 53-j ACCEPTipta Bles-a input-p UDP--dport 53-j acceptiptables-a input-p tcp--sport 53-j acceptiptables-a input-p TCP--sport 5 3-j acceptiptables-a input-p icmp-j accept/etc/init.d/iptables Save
Save as an. sh file and execute it with administrator privileges.
Other common commands:
To view the firewall brief configuration
Iptables-l-N
View Firewall Detailed configuration
Iptables-save
Important NOTES:
The configuration of the firewall must be very careful, especially in the remote configuration, if you accidentally clear the defined rules, and the default input rule is set to drop, there is no way to connect remotely, this particular note.
This article is from the "fragrant fluttering leaves" blog, please make sure to keep this source http://xpleaf.blog.51cto.com/9315560/1707025
Linux firewall Settings-dns Server Chapter