Ubuntu Firewall blocking DNS requests to VMWARE guest with outbound traffic rules added and stateful matching done

Question

This is a unique problem related to DNS queries(tcp/udp 53) even with correct UFW/iptables rules and does not relate to /etc/resolv.conf

I can ping google DNS 8.8.8.8 but cannot resolve google.com after turning on the host ufw. Tried searching everywhere and updated ufw and iptables accordingly to allow DNS queries and allow established connection.

My numbered ufw status related to DNS is

Screenshot UFW rules

Stateful matching iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Note: vmnet 1/192.168.191.1/24, 192.168.191.130(guest), eno4 Host public interface.

The strange thing is when I turn off the host ufw, everything works perfectly on guests side. However, I am able to ping any IP addresses even after turning on the firewall.

sudo ufw status numbered | grep 53

FAILED TCPDUMP on UDP/TCP 53 only after pinging google.com via 8.8.8.8

Screenshot (UFW on host)

Note: UFW disabled on guest

This question appears to be off topic. Home and end user computing questions can be asked on [su]. — Michael Hampton, Jun 10 '21 at 11:52

Rabinpro · Answer 1 · 2021-06-11T05:18:46.773

After a lot of help from serverfault.com :P and an encouragement boost from Michael Hampton, I finally solved the missed ack flags for DNS queries while everything else worked perfectly.

The real problem was: -systemd-resolved somehow did not allow DNS queries from any other IPs except 127.0.0.1 after turning on UFW

The solution is to mangle every output from the guest VM by setting mark to 2

iptables -t mangle -A OUTPUT ! -s 192.168.191.130-j MARK --set-mark 2

where 192.168.191.130 is the cluster where you would not want to block UDP from.

CHEERS!!

Ubuntu Firewall blocking DNS requests to VMWARE guest with outbound traffic rules added and stateful matching done

1 Answers1