Web Host Chat - The UK's host forum since 2001!
RECOMMENDED HOSTS
Colocation Rack Services
UK Web & Reseller Hosting
UK Leased Lines
VMWare Cloud Servers
Advertise here!
Results 1 to 5 of 5
Like Tree1Likes
  • 1 Post By catphish

Thread: IPtables

  1. #1
    Registered User Array

    IPtables

    I seem to have random issues with IPtables.

    There is an allow rule for port 53 TCP / UDP DNS

    Randomly like once a month, dns lookups keep failing and the only way to resolve is to do a restart of iptables and then it works fine again.

    Anyone else had this issue?

  2. #2
    132 rating
    23 reviews
    Posts 13826
    Post rank 1 (0)
    Array
    Quote Originally Posted by uk26 View Post
    I seem to have random issues with IPtables.

    There is an allow rule for port 53 TCP / UDP DNS

    Randomly like once a month, dns lookups keep failing and the only way to resolve is to do a restart of iptables and then it works fine again.

    Anyone else had this issue?
    Nope, not had anything like that.

    Have you done any troubleshooting to see whereabouts in the rules the packets are being dropped when you run into the problem?

    Is there any kind of pattern for when this occurs?
    Freethought Internet
    Freethought Internet Limited registered in London No. 5862996. Registered office: The Old Church Hall, 2A Cromwell Street, Lincoln, LN2 5LP. VAT number GB 987 0952 66.

  3. #3
    Registered User Array
    A simple tcp/udp allow shouldn't cause any issues.

    Which OS are you running?
    Anything of interest in the logs around the time DNS fails?
    Can you provide a copy of the rules?

  4. #4
    19 rating
    1 review
    Posts 159
    Post rank 6261 (-13)
    Array
    Dear Sir / Madam,

    We have investigated your issue and we believe that the problem most likely lies in the connection tracking feature of iptables.

    By default each new flow passing through iptables creates a connection tracking entry. Unfortunately, due to the nature of UDP DNS, this can create an excessively large number of flows very quickly and fill the connection tracking table. This can usually be confirmed by looking in the kernel log while the issue is occurring and observing "connection tracking table full" errors.

    The solution to this, and something that we would recommend in every iptables installation is to disable the connection tracking feature for UDP DNS packets, with rules such as the following:

    Code:
    iptables -t raw -A PREROUTING -p udp -m udp --dport 53 -j NOTRACK
    iptables -t raw -A OUTPUT -p udp -m udp --sport 53 -j NOTRACK
    This configuration will prevent tracking entries being created for UDP DNS packets. Since these will presumably always be allowed in both directions, the connection tracking serves no purpose.

    We hope this will resolve the problem, but if not, please do let us know, and we will shrug our shoulders and stare back blankly.

    Charlie
    SimonGtn likes this.

  5. #5
    Registered User Array
    Got It. I also want to know about it in details.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Content Relevant URLs by vBSEO 3.6.1