On Mon, 20 Mar 2000, Stephen Smith wrote:

> I want to accept DNS server use from a range of IP addresses.  How do I do that?
> 
> I tried using IPChains - accepting from certain subnets and denying everyone else.
> But that blocked the lookups from the other servers.

# Undefine LOCALNET if there is no network card
LOCALNET=10.1.1.0
INTIP=10.1.1.96
EXTIP=192.168.1.90

# Find out what nameservers we use
NAMESERVERS=`awk '($1 ~ "nameserver") {print $2}' < /etc/resolv.conf`

if [ -z "$NAMESERVERS" ]
then
        ipchains -A ext-in -j ACCEPT -p TCP -d 0/0 53
        ipchains -A ext-in -j ACCEPT -p UDP -d 0/0 53
else
 for NAMESERVER in ${NAMESERVERS} ; do
        ipchains -A ext-in -j ACCEPT -p TCP -s $NAMESERVER -d $EXTIP 53
        ipchains -A ext-in -j ACCEPT -p UDP -s $NAMESERVER -d $EXTIP 53
 done
fi

# for internal use of dns services
ipchains -A int-in -j ACCEPT -p TCP -s $LOCALNET/24 -d $INTIP 53
ipchains -A int-in -j ACCEPT -p UDP -s $LOCALNET/24 -d $INTIP 53

# ext-in is the input chain for the external interface
# int-in is the input chain for the internal interface

Don't forget the dns stuff that Mike suggested as well.

If you throw a "-l" on the end of all of the above ipchains commands you
should see ACCEPTs in the logs when queries are made. Also don't forget
that dns queries to port 53 in both TCP and UDP from either above 1023 or
from port 53.

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#  der.hans@LuftHans.com                  www.excelco.com #
#            http://home.pages.de/~lufthans/              #
#   I'm not anti-social, I'm pro-individual. - der.hans   #
# ===========+++++++++++++++++++++++++++++++++=========== #