bind9, rndc and iptables

Recently (well, a couple of months ago) I finally decided to rent a server at a large co-location server farm (serverpronto.com) and picked Debian as the Linux distro of choice.

After a while I wanted to setup the new server as a DNS slave, which wasn't as hard as I had expected. But when it came to stoping or restarting the bind daemon on that box, I always got

rndc: connect failed: connection refused

even though I was sure that I had configured my named.conf and rndc.conf files correctly, and the file permissions were correct as well.

No matter what I did, rndc could not connect to a running named instance. Checking in /var/log/messages I saw that the bind deamon opend the control channel on port 953, and rndc was configured to connect to that socket on localhost.

Finally I decided to ping localhost and got

# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
From 127.0.0.1 icmp_seq=2 Destination Port Unreachable
From 127.0.0.1 icmp_seq=3 Destination Port Unreachable

WTF!?

So there was something fun-key with my setup. Turns out that the system comes with iptables setup by default, and ICMP was disabled

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10000
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
<b>REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable</b>

After quick googling what to do, I determined to simply delete the offending INPUT rule with

iptables -D INPUT 11

and not only can I ping localhost now, but rndc works as well.

Hazzah!

No votes yet