I wanted to allow outgoing DNS traffic while OUTPUT is on DROP

Zak A

6/20/23, 7:14 PM

I currently have a dns server running on my pi , and I am using that as my dns I wanted to ping google.ca while my output chain / input being on drop here are my firewall rules would love to hear some feedback on how to fix this still cant ping google.ca

#!/bin/bash
iptables -F
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#ssh
#http traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -i lo  -j ACCEPT
iptables -A OUTPUT -o lo  -j ACCEPT
#loopback
#outgoing dns
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
#incoming dns 
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

0 + 0

iptables

bash

firewall

networking

dns

Thomas Ward

6/20/23, 7:15 PM

Can you include the full current iptables rules? `sudo iptables -L -n -v --line-numbers` and add it as an edit to the question?

Zak A

6/20/23, 7:24 PM

I do flush the iptables in the script

Doug Smythies

6/20/23, 7:40 PM

Please do as @ThomasWard asked. We need to see your default policies and the overall context. If you want to allow ping, then you need rules to do so if your default policy is DROP.

Thomas Ward

6/20/23, 7:41 PM

There's also a few things that I would add anyways, such as a state matching on RELATED,ESTABLISHED in INPUT and OUTPUT and allow it, that way you don't have to explicitly allow all connections to a port and instead only permit the traffic that's related to the NEW traffic you're establishing outboud. BUt yes, we still want to see the current layout *after* your script runs.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: I wanted to allow outgoing DNS traffic while OUTPUT is on DROP

TH: ฉันต้องการอนุญาตการรับส่งข้อมูล DNS ขาออกในขณะที่ OUTPUT อยู่ใน DROP

RO: Am vrut să permit traficul DNS de ieșire în timp ce OUTPUT este pe DROP

RU: Я хотел разрешить исходящий DNS-трафик, пока OUTPUT находится в состоянии DROP

VI: Tôi muốn cho phép lưu lượng DNS gửi đi trong khi OUTPUT đang ở chế độ DROP

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.