Linux Fedora 8 IPTABLE設定值:
主機:
1. 外網 只要開放 20,21,22,53,953,(ftp,ssh,mail)
2.內網 只開放 445,139(smb)
3.沒有架設 NAT
問題:
1./var/log/messages 內一直出上百條以下的訊設,以下略取10條,
2.如果設了以下 IPTABLES規則,DNS 會無法運作,
請教iptables 熟手,是什麼問題,還是有更好設定的方法呢? 感恩也 謝謝~
有去爬了一些文,是說要加以下的資料到 named.conf,試了之後,反而DNS 起不來
logging {
category lame-servers {null; };
category edns-disabled { null; };
};
IPTables 的設定值:
#=======================InSiteNet eth1(192.168.0.5)=====================
#------------------------------SMB ACCEPT-----------------------
-A INPUT -p tcp -i eth1 -m state --state RELATED -d 192.168.0.5 -m multiport --dports 445,139 -j ACCEPT
-A INPUT -p udp -i eth1 -m state --state RELATED -d 192.168.0.5 -m multiport --dports 445,137:138 -j ACCEPT
#=======================OutSiteNet eth0(220.128.122.86)=====================
#-----------------------SSH--------------------------------------
-A INPUT -i eth0 -p tcp -s 222.222.222.22-m multiport --dports 22 -j ACCEPT
-A INPUT -i eth0 -p udp -s 222.222.222.22 -m multiport --dports 22 -j ACCEPT
#--------------------------------------------------------------
-A OUTPUT -o eth0 -p tcp -j ACCEPT
-A OUTPUT -o eth0 -p udp -j ACCEPT
#------------------------------DNS ACCEPT
-A INPUT -p udp -m multiport --sports 53,953 -m multiport --dports 53,953 -j ACCEPT
-A INPUT -p tcp -m multiport --sports 53,953 -m multiport --dports 53,953 -j ACCEPT
#------------------------------Mail ACCEPT
-A INPUT -p tcp -i eth0 -d 222.222.222.22-m multiport --dports 110,25 -j ACCEPT
-A INPUT -p udp -i eth0 -d 222.222.222.22 -m multiport --dports 110,25 -j ACCEPT
#-----------------------------Vsftpd accept
-A INPUT -p tcp -i $EXTIF -s 220.128.122.85 --dport 21 -j ACCEPT
-A INPUT -p tcp -i $EXTIF -s 220.128.122.85 --dport 60000:60010 -j ACCEPT
#______________________Server Port 1:1023 LOG
#-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 1:1023 --sport 1:65535 -j LOG
#-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1:1023 --sport 1:65535 -j LOG
#---------------------------OutPut Port------------------------
-A OUTPUT -o eth0 -p tcp --sport 80 -j DROP
-A INPUT -i eth0 -p tcp -d 222.222.222.22 --dport 1024:65535 -j DROP
-A INPUT -i eth0 -p udp -d 222.222.222.22 --dport 1024:65535 -j DROP
/var/log/messages 內y 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'H.GTLD-SERVERS.NET/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'I.GTLD-SERVERS.NET/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'J.GTLD-SERVERS.NET/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'K.GTLD-SERVERS.NET/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'B.DNS.tw/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'E.DNS.tw/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'F.DNS.tw/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'G.DNS.tw/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'H.DNS.tw/AAAA' (in '.'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'fedora.mirrors.firstnetcom.com.tw.tw/A' (in 'tw'?): disabling EDNS
May 24 21:07:23 fortune-s named[6999]: too many timeouts resolving 'NS.TWNIC.NET/AAAA' (in 'NET'?): disabling EDNS
May 24 21:07:24 fortune-s named[6999]: too many timeouts resolvin
 |
回覆時引用此文章
書籤