4

I ran iptables -P INPUT DROP to block all incoming packets.
Then I allowed packets belonging to related or already established connections to be allowed with iptables -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT

Opening the browser and navigating around made me realize that DNS was not working. Only after sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT it worked.

So I wonder: "Why do I have to allow the destination port to be reachable on input? I'm connecting outwards to a DNS and the answer should be to a highport".

Greg Askew
  • 39,132
Agyss
  • 181

1 Answers1

4

Note: I'm on KUBUNTU 25.04, this may answer strongly depends on your environment.

The reason is that dns caching and forwarding on recent (K)UBUNTU versions uses localhost (127.0.0.53) for running systemd-resolved (Details about systemd-resolved and why it runs on .53 and details on the 127.0.0.0/8 network).

So as pointed out in the question, I actually am running a dns server on localhost.

To prevent all issues with services running locally, best allow your localhots to access all localhost services on iptables with: iptables -A INPUT -i lo -j ACCEPT

tsc_chazz
  • 2,941
Agyss
  • 181