Ok, why would I want to block using both IP Chains and at the DNS query level? What I have is a server that has a public IP address that I don't want to server the general public. Stephen > > On Mon, 20 Mar 2000, Stephen Smith wrote: > > > I want to accept DNS server use from a range of IP addresses. How do I do that? > > > > I tried using IPChains - accepting from certain subnets and denying everyone else. > > But that blocked the lookups from the other servers. > > # Undefine LOCALNET if there is no network card > LOCALNET=10.1.1.0 > INTIP=10.1.1.96 > EXTIP=192.168.1.90 > > # Find out what nameservers we use > NAMESERVERS=`awk '($1 ~ "nameserver") {print $2}' < /etc/resolv.conf` > > if [ -z "$NAMESERVERS" ] > then > ipchains -A ext-in -j ACCEPT -p TCP -d 0/0 53 > ipchains -A ext-in -j ACCEPT -p UDP -d 0/0 53 > else > for NAMESERVER in ${NAMESERVERS} ; do > ipchains -A ext-in -j ACCEPT -p TCP -s $NAMESERVER -d $EXTIP 53 > ipchains -A ext-in -j ACCEPT -p UDP -s $NAMESERVER -d $EXTIP 53 > done > fi > > # for internal use of dns services > ipchains -A int-in -j ACCEPT -p TCP -s $LOCALNET/24 -d $INTIP 53 > ipchains -A int-in -j ACCEPT -p UDP -s $LOCALNET/24 -d $INTIP 53 > > # ext-in is the input chain for the external interface > # int-in is the input chain for the internal interface > > Don't forget the dns stuff that Mike suggested as well. > > If you throw a "-l" on the end of all of the above ipchains commands you > should see ACCEPTs in the logs when queries are made. Also don't forget > that dns queries to port 53 in both TCP and UDP from either above 1023 or > from port 53. > > ciao, > > der.hans > -- > # +++++++++++=================================+++++++++++ # > # der.hans@LuftHans.com www.excelco.com # > # http://home.pages.de/~lufthans/ # > # I'm not anti-social, I'm pro-individual. - der.hans # > # ===========+++++++++++++++++++++++++++++++++=========== # > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss