iptables configuration for BIND

[bkesting]

Hello,

I am running a BIND 9.3.2 nameserver to host my own domain. It is running smoothly and queries requests like a champ. This machine has a public IP and I would like to use iptables to lock it down. When I run my iptables script, I think the nameserver is still resolving for people outside my network and zone transfers to secondary servers (outside my network) seem to be working, but when I try to run a dig or nslookup locally on the nameserer, it times out. If I flush my iptables rules, then the local commands work fine. Can someone point out to me what might be wrong? Here are the commands I am running in my script:

# allow outside dns requests
iptables -A INPUT -s 0/0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 0/0 -p udp --dport 53 -j ACCEPT

# allow ssh connection from local network
iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 22 -j ACCEPT

# allow icmp traffic
iptables -A INPUT -s 0/0 -p icmp -j ACCEPT

# block all other traffic
iptables -A INPUT -s 0/0 -p all -j DROP

[girlygeek]

You should also have a rule that allows all queries to localhost (127.0.0.1).

You also probably need an OUTPUT statement somewhere that allows replies on established TCP connections (with the ACK bit set) and regular UDP stuff.

Try logging that final drop and see what it outputs to /var/log/messages.

[LinuxFreak]

Dear bkesting,
Hello,

If you are not much sure about iptables then you can use APF Firewall.

FYI, http://www.rfxnetworks.com

If you have any difficulties in installation and configuration let me know

Best Regards.

[bkesting]

I added the following commands to fix my problem........

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

and added the following to my named.conf file:

query-source address * port 53;

All seems to be working fine now