| View previous topic :: View next topic |
| Author |
Message |
silwerspawn
Apprentice
Joined: 01 Feb 2007
Posts: 183
|
 Posted: Sun May 11, 2008 8:21 pm Post subject: axfr transfer connection problem |
 |
|
Hey everyone
i have some problem getting a connection from an axfr tranfer (gratisdns.dk) to my server.
i get connection refuged. i know its my server that makes trouble, and im alsmost sure its my iptables configuration that makes trouble.
| Code: | # Generated by iptables-save v1.3.8 on Sun May 11 20:13:12 2008
*nat
:PREROUTING ACCEPT [5666520:506750747]
:POSTROUTING ACCEPT [4158:394990]
:OUTPUT ACCEPT [2148795:181460447]
-A POSTROUTING -o WAN -j MASQUERADE
COMMIT
# Completed on Sun May 11 20:13:12 2008
# Generated by iptables-save v1.3.8 on Sun May 11 20:13:12 2008
*mangle
:PREROUTING ACCEPT [72308373:5137856559]
:INPUT ACCEPT [70462435:3982746207]
:FORWARD ACCEPT [1839946:1154764886]
:OUTPUT ACCEPT [113297478:148494596726]
:POSTROUTING ACCEPT [115219548:149663618279]
COMMIT
# Completed on Sun May 11 20:13:12 2008
# Generated by iptables-save v1.3.8 on Sun May 11 20:13:12 2008
*filter
:INPUT ACCEPT [65932197:3724894975]
:FORWARD DROP [6846:1748257]
:OUTPUT ACCEPT [113297478:148494596726]
-A INPUT -i lo -j ACCEPT
-A INPUT -i LAN -j ACCEPT
-A INPUT -i ! LAN -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i WAN -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i WAN -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i WAN -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152:65534 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ! LAN -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -i ! LAN -p udp -m udp --dport 0:1023 -j DROP
-A FORWARD -d 192.168.0.0/255.255.0.0 -i LAN -j DROP
-A FORWARD -s 192.168.0.0/255.255.0.0 -i LAN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i WAN -j ACCEPT
COMMIT
# Completed on Sun May 11 20:13:12 2008
|
is there anything wrong with it? |
|
| Back to top |
|
 |
alex.blackbit
Advocate
Joined: 26 Jul 2005
Posts: 2397
|
| Posted: Sun May 11, 2008 8:43 pm Post subject: |
|
|
without complely parsing your config, does your dns server work normally on your wan interface?
you can try that with from outside your network.
if the axfr stuff works can be test e.g. with |
|
| Back to top |
|
|
silwerspawn
Apprentice
Joined: 01 Feb 2007
Posts: 183
|
| Posted: Sun May 11, 2008 8:54 pm Post subject: |
|
|
sorry i should have told you, gratisdns.dk is a free service for secondary DNS servers.
you add your hostname and ip. and it runs.
so there is nothing wrong with gratis dns.
this is what i get when running the test from their site
| Code: | | ;; Connection to 80.162.69.178#53(80.162.69.178) for frostdrake.tk failed: connection refused. |
|
|
| Back to top |
|
|
alex.blackbit
Advocate
Joined: 26 Jul 2005
Posts: 2397
|
| Posted: Sun May 11, 2008 10:14 pm Post subject: |
|
|
what exactly are you trying to do?
which command did you use? |
|
| Back to top |
|
|
silwerspawn
Apprentice
Joined: 01 Feb 2007
Posts: 183
|
| Posted: Mon May 12, 2008 2:28 pm Post subject: |
|
|
i dont know what command it runs at gratisdns.dk
and i cant see anything else than that.
but what i was asking for is that have i messed up in the iptables? |
|
| Back to top |
|
|
alex.blackbit
Advocate
Joined: 26 Jul 2005
Posts: 2397
|
| Posted: Mon May 12, 2008 6:34 pm Post subject: |
|
|
| Quote: | | but what i was asking for is that have i messed up in the iptables? |
that's why i asked you to try the connection to port 53 from outside the network. i don't like parsing such scripts in my head if there is a very easy way to try it out. |
|
| Back to top |
|
|
silwerspawn
Apprentice
Joined: 01 Feb 2007
Posts: 183
|
| Posted: Mon May 12, 2008 6:53 pm Post subject: |
|
|
ahh okay.. sorry..
i dont have a machine on the outside right now.
so maybe you could try on 80.162.69.178 if its not too much trouble.
the domain is frostdrake.tk, but that does not work |
|
| Back to top |
|
|
silwerspawn
Apprentice
Joined: 01 Feb 2007
Posts: 183
|
| Posted: Thu Jun 05, 2008 4:14 pm Post subject: |
|
|
I think i found what was troubeling me now.
i get this now in my log.
05-Jun-2008 17:07:59.855 no longer listening on 127.0.0.1#53
05-Jun-2008 17:07:59.855 no longer listening on 192.168.0.1#53
05-Jun-2008 17:07:59.855 no longer listening on 80.162.69.178#53
why is it doing this? |
|
| Back to top |
|
|
|
Networking & Security
