I'm locking down both inbound and outbound ports with
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Then, I allow certain traffic to certain servers
- SSH from my network to the server (inbound)
- HTTP requests on port 8080 from the server to another server (outbound)
iptables -A INPUT -p tcp -s <my_ip> --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -d <server_ip> --dport 8080 -j ACCEPT
I noticed some problems with the above rules and doing HTTP requests, so I added
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
For DNS, I then added :
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
However, nslookup would not work:
nslookup google.com
What ended up working is also allowing port 53 inbound traffic:
iptables -A INPUT -p udp --dport 53 -j ACCEPT
In total, these are my commands:
1. iptables -A INPUT -p tcp -s <my_ip> --dport 22 -j ACCEPT
2. iptables -A OUTPUT -p tcp -d <my_server> --dport 8080 -j ACCEPT
3. iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
4. iptables -A INPUT -p udp --dport 53 -j ACCEPT
3. iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
4. iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
5. iptables -P INPUT DROP
6. iptables -P OUTPUT DROP
My question is: I wanted to lock down the server as much as possible. I didn't think I'd need to open UDP inbound. I know UDP is stateless etc. but I've generally never needed to open anything inbound to make DNS work, whether on firewalls or my Windows machines.
Am I doing something wrong that I need port 53 inbound?
