FIX DNS Rules: allow protocol tcp for requesting large records.
This commit is contained in:
parent
8ed62f8377
commit
355086a2a4
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,4 +1,4 @@
|
||||
*.swp
|
||||
.*.swp
|
||||
conf/interfaces_ipv4.conf
|
||||
conf/interfaces_ipv6.conf
|
||||
conf/main_ipv4.conf
|
||||
|
||||
@ -1228,11 +1228,19 @@ echononl "\t\tDNS Service Gateway"
|
||||
# -
|
||||
if $local_dns_service ; then
|
||||
|
||||
# dns requests
|
||||
#
|
||||
# Note:
|
||||
# If the total size of the DNS record is larger than 512 bytes,
|
||||
# it will be sent over TCP, not UDP.
|
||||
#
|
||||
|
||||
# - Allow requests from local networks
|
||||
# -
|
||||
for _dev in ${local_if_arr[@]} ; do
|
||||
# - in
|
||||
$ip6t -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
done
|
||||
|
||||
# - Zonetransfere (uses tcp/53)
|
||||
@ -1264,11 +1272,21 @@ echononl "\t\tDNS Service local Network"
|
||||
# - Make nameservers at the local network area rechable for all
|
||||
# -
|
||||
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
# dns requests
|
||||
#
|
||||
# Note:
|
||||
# If the total size of the DNS record is larger than 512 bytes,
|
||||
# it will be sent over TCP, not UDP.
|
||||
#
|
||||
|
||||
for _ip in ${dns_server_ip_arr[@]} ; do
|
||||
$ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||||
for _dev in ${local_if_arr[@]} ; do
|
||||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
@ -1699,11 +1699,19 @@ echononl "\t\tDNS Service Gateway"
|
||||
# -
|
||||
if $local_dns_service ; then
|
||||
|
||||
# dns requests
|
||||
#
|
||||
# Note:
|
||||
# If the total size of the DNS record is larger than 512 bytes,
|
||||
# it will be sent over TCP, not UDP.
|
||||
#
|
||||
|
||||
# - Allow requests from local networks
|
||||
# -
|
||||
for _dev in ${local_if_arr[@]} ; do
|
||||
# - in
|
||||
$ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
done
|
||||
|
||||
# - Zonetransfere (uses tcp/53)
|
||||
@ -1735,11 +1743,21 @@ echononl "\t\tDNS Service local Network"
|
||||
# - Make nameservers at the local network area rechable for all
|
||||
# -
|
||||
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
# dns requests
|
||||
#
|
||||
# Note:
|
||||
# If the total size of the DNS record is larger than 512 bytes,
|
||||
# it will be sent over TCP, not UDP.
|
||||
#
|
||||
|
||||
for _ip in ${dns_server_ip_arr[@]} ; do
|
||||
$ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
|
||||
for _dev in ${local_if_arr[@]} ; do
|
||||
$ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
Loading…
Reference in New Issue
Block a user