Thread: iptables causing slow ssh and name lookup errors
hi,
why iptables cause mail delivery error? think it's dns lookups not being routed properly... if remove last rule, mail works fine.
ssh slow connect when last rule enabled.
postfix mail error:
iptablescode:jan 24 11:32:18 xxxx postfix/smtp[15065]: 9f2162c519: to=<xxxxx@hotmail.com>, relay=none, delay=1005, delays=965/0.01/40/0, dsn=4.4.3, status=deferred (host or domain name not found. name service error name=hotmail.com type=mx: host not found, try again)
code:chain input (policy accept 1510 packets, 283k bytes) pkts bytes target prot opt in out source destination 0 0 accept -- lo anywhere anywhere 3384 264k accept tcp -- anywhere anywhere tcp dpt:1976 522 46669 accept tcp -- anywhere anywhere tcp dpt:www 12 648 accept tcp -- anywhere anywhere tcp dpt:domain 291 19722 accept udp -- anywhere anywhere udp dpt:domain 1269 72208 accept tcp -- anywhere anywhere tcp dpt:pop3 414 179k accept tcp -- anywhere anywhere tcp dpt:smtp 759 63756 accept icmp -- anywhere anywhere 0 0 drop -- anywhere anywhere chain forward (policy accept 0 packets, 0 bytes) pkts bytes target prot opt in out source destination chain output (policy accept 6632 packets, 2968k bytes) pkts bytes target prot opt in out source destination
ok, here's answer.
because lookups sent nameserver on port 53, , reply comes on higher number port [which blocked] need allow access isp's nameservers on higher numbered port.
if wanted allow reply on port [only if trust isp's nameserver]:code:iptables -a input -p udp -s <isp dns server ip>/32 --source-port 53 -d 0/0 --destination-port 1024:65535 -j accept
this great resource:code:iptables -a input -p udp -s <isp dns server ip>/32 --source-port 53 -d 0/0 -j accept
http://oceanpark.com/notes/firewall_example.html
Forum The Ubuntu Forum Community Ubuntu Specialised Support Ubuntu Servers, Cloud and Juju Server Platforms [SOLVED] iptables causing slow ssh and name lookup errors
Ubuntu
Comments
Post a Comment