我一直在使用 CentOS 6,最近使用主机名的传出连接不起作用。这可能是由于 iptables 阻止了所有 DNS 查询,因为一旦禁用防火墙就不会出现问题。
# Generated by iptables-save v1.4.7 on Thu Jul 20 17:40:16 2017
*mangle
:PREROUTING ACCEPT [672953:127627705]
:INPUT ACCEPT [6652:691635]
:FORWARD ACCEPT [661443:126705426]
:OUTPUT ACCEPT [7875:3320683]
:POSTROUTING ACCEPT [598139:125758733]
COMMIT
# Completed on Thu Jul 20 17:40:16 2017
# Generated by iptables-save v1.4.7 on Thu Jul 20 17:40:16 2017
上述规则是否可能是造成此问题的原因?
输出iptables -L -n -v:
Chain INPUT (policy DROP 2493 packets, 403K bytes)
pkts bytes target prot opt in out source destination
416 34155 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
697 64133 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,22,25,80,443,4082,4083,4084,4085,587
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
1228 42752 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8443,2087,2086,10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5901:7000
0 0 ACCEPT all -- * * <some_IP> 0.0.0.0/0
0 0 tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: DEFAULT side: source
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 6 name: DEFAU LT side: source
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
1 140 ACCEPT all -- * * <some_IP> 0.0.0.0/0
0 0 ACCEPT all -- * * <some_IP> 0.0.0.0/0
0 0 ACCEPT all -- * * <some_IP> 0.0.0.0/0
0 0 ACCEPT all -- * * <some_IP> 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain FORWARD (policy ACCEPT 745K packets, 370M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 <some_IP> 2 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 <some_IP> 0 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
7554 450K DROP tcp -- * * 0.0.0.0/0 <some_IP> tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
4 240 DROP tcp -- * * 0.0.0.0/0 <some_IP> 48 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 <some_IP> 4 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 <some_IP> 33 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
1 40 DROP tcp -- * * 0.0.0.0/0 <some_IP> tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
1 40 DROP tcp -- * * 0.0.0.0/0 <some_IP> tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
2 120 DROP tcp -- * * 0.0.0.0/0 <some_IP> 54 tcp dpt:25
4 240 DROP tcp -- * * 0.0.0.0/0 <some_IP> 53 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 <some_IP> 52 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 <some_IP> 49 tcp dpt:25
4 240 DROP tcp -- * * 0.0.0.0/0 <some_IP> 51 tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
0 0 DROP tcp -- * * 0.0.0.0/0 <some_IP> tcp dpt:25
0 0 DROP tcp -- * * <some_IP> 0.0.0.0/0 tcp dpt:25
Chain OUTPUT (policy ACCEPT 4522 packets, 880K bytes)
pkts bytes target prot opt in out source destination
3 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 25,587
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
1228 42752 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
答案1
这个标题可能应该改为:
iptables 阻止所有 DNS回应
因为我相信你现有的规则正在阻止 DNS回应, 不是查询。
这些规则仅允许 INPUT 链上的 UDP 到服务器上的目标端口 123。您还需要为 UDP 流量添加类似的规则,但这次是从来源端口 53 允许您的服务器向其发送查询的 DNS 服务器发出 DNS 响应。
像这样:
iptables -A INPUT -p udp --sport 53 -j ACCEPT