PROBLEM
Unable to do external recursive lookups from a BIND9 DNS server running on the
firewall machine.
Recursive lookups worked fine from a BIND9 DNS server running on a machine on
the local network.
CAUSE
SuSEfirewall2 was droping DNS udp reply packets from the external nameservers
on port 53. This was visible in firewall TEST mode in the syslog as
SuSE-FW-DROP IN= OUT= MAC=... SRC= DST=<firewall>
LEN=... TOS=0x10 PREC=0x00 TTL=... ID=... DF PROTO=UDP SPT=53 DPT=53 LEN=...
SOLUTION
1. In /etc/sysconfig/scripts/SuSEfirewall2-custom add the following rule in
fw_custom_after_antispoofing().
iptables -A input_ext -j ACCEPT -p udp --sport 53 --dport 53 -m state --state
ESTABLISHED,RELATED
(This puts the rule at the start of the input_ext chain. It might be better
somewhere else but I haven't experimented.)
2. In /etc/sysconfig/SuSEfirewall2 script enable the custom script by setting
the following variable value as shown in the commented out example.
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
3. Change the nameserver in /etc/resolve.conf to point to the firewall server.
nameserver <local nameserver ip address>
4. Run /sbin/SuSEfirewall2.
CAVEAT
This works for me, and appears secure (port scan from www.grs.com shows port
53 as stealthed) but this is my first "dip" into IPTABLES!
If anyone has a more secure (or just plain better) solution please let me
know!