    iptables configuration for BIND


    I am running a BIND 9.3.2 nameserver to host my own domain. It is running smoothly and queries requests like a champ. This machine has a public IP and I would like to use iptables to lock it down. When I run my iptables script, I think the nameserver is still resolving for people outside my network and zone transfers to secondary servers (outside my network) seem to be working, but when I try to run a dig or nslookup locally on the nameserer, it times out. If I flush my iptables rules, then the local commands work fine. Can someone point out to me what might be wrong? Here are the commands I am running in my script:

    # allow outside dns requests
    iptables -A INPUT -s 0/0 -p tcp --dport 53 -j ACCEPT
    iptables -A INPUT -s 0/0 -p udp --dport 53 -j ACCEPT

    # allow ssh connection from local network
    iptables -A INPUT -s -p tcp --dport 22 -j ACCEPT

    # allow icmp traffic
    iptables -A INPUT -s 0/0 -p icmp -j ACCEPT

    # block all other traffic
    iptables -A INPUT -s 0/0 -p all -j DROP

    girlygeek
    You should also have a rule that allows all queries to localhost (

    You also probably need an OUTPUT statement somewhere that allows replies on established TCP connections (with the ACK bit set) and regular UDP stuff.

    Try logging that final drop and see what it outputs to /var/log/messages.

    Senior Member
    Dear bkesting,

    If you are not much sure about iptables then you can use APF Firewall.


    If you have any difficulties in installation and configuration let me know

    Best Regards.
    Frrkh hmd

    I added the following commands to fix my problem........

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT

    and added the following to my named.conf file:

    query-source address * port 53;

    All seems to be working fine now

