LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-19-2004, 03:12 PM   #1
palmercabel
Member
 
Registered: Oct 2003
Posts: 64

Rep: Reputation: 15
DNS newbie cant get dig to work - part II


See this posting
on a hunch I turned the firewall off and the problem went away. So what's the problem with the firewall ?? Here is the iptables file:

:INPUT ACCEPT [11:2940]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5577:292136]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 192.168.0.1 -p udp -m udp --sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 192.168.0.111 -p udp -m udp --sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 127.0.0.1 -p udp -m udp --sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT
 
Old 01-19-2004, 03:19 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
So I may have been right then. I think you want "--dport" not "--sport". You should also open it up to tcp connections.
 
Old 01-19-2004, 04:04 PM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
That output is really difficult to read (not your fault, iptables just has horrible syntax), but what I don't see is a rule that allows all RELATED traffic back in. What you should do is allow either a) all outbound traffic (from your host, to the Internet) and keep track of state, or b) if denying outbound by default, allow outbound to tcp, udp to dport 53 and keep track of state. The rule to allow RELATED traffic back in should allow the responses.

I hope someone rewrites iptables to be readable one of these days. It should at least be as good as PIX or ipfw, and preferably natural language like pf. How they could mangle up the syntax and output so baddly with several good examples of useful syntax availble, I don't know.

OK, I'll stop my "iptables is messy" rant now.
 
Old 01-19-2004, 04:23 PM   #4
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
chort, I quite agree with you on this. The daft thing about the redhat lokkit tool is that it has a default INPUT rule of ACCEPT then it blocks all other ports.
 
Old 01-20-2004, 10:56 AM   #5
palmercabel
Member
 
Registered: Oct 2003
Posts: 64

Original Poster
Rep: Reputation: 15
Thanks for the replies david and chort. This dns and firewall stuff is fascinating (in its better moments) to an old DBA like Me.
Thanks again
 
Old 01-20-2004, 04:10 PM   #6
palmercabel
Member
 
Registered: Oct 2003
Posts: 64

Original Poster
Rep: Reputation: 15
guys, I am not having any luck with modifying iptables. Here's the current iptables file in /etc/sysconfig (chort, if there is a way to produce a format that is easier to read, let Me know and I'll gladly use that way):

:INPUT ACCEPT [11:2940]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5577:292136]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
* --------------------
* this is the line I added to allow related traffic back in
* --------------------
-A RH-Lokkit-0-50-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 192.168.0.1 -p udp -m udp --sport 53 -j ACCEPT
* ---------------------
* these 2 lines are supposed to allow DNS traffic from the ethernet port
* ----------------------
-A RH-Lokkit-0-50-INPUT -s 192.168.0.111 -p udp -m udp --dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 192.168.0.111 -p tcp -m tcp --dport 53 -j ACCEPT
* ---------------------
* these 2 lines are supposed to allow DNS traffic from internal procs (i.e. dig)
* ----------------------
-A RH-Lokkit-0-50-INPUT -s 127.0.0.1 -p udp -m udp --dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 127.0.0.1 -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT

in addition to correcting My obvious lack of understanding, I would appreciate any recommendations where an obviously clueless DBA can learn something about iptables

Thanks again__
 
Old 01-20-2004, 10:29 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well it *looks* right--you're allowing ESTABLISHED,RELATED, and also allowing outbound packets to port 53. Obviously there is some subtle iptables quirk that I'm missing.

Just from a correctness standpoint, I would recommend ditching Lokkit and either rolling your own script from scartch, or using one of the GUI tools (such as Guarddog, fwbuilder, or Firestarter). Lokkit just has a very dumb way of setting up rules that is completely the opposite of how firewalls are supposed to be constructed.

I recommend you check out the netfilter/iptables references in the stickied post over on the Security forum. I think it's called Security References (or maybe Resources). There's a gigantic list of HOW-TOs, etc.
 
Old 01-21-2004, 07:52 AM   #8
palmercabel
Member
 
Registered: Oct 2003
Posts: 64

Original Poster
Rep: Reputation: 15
Chort thanks for the info. I guess I'm trying to stay as close to the "out of the box" condition of Red Hat as I can untill I am confident in MY understanding, but it would probably pay in the long run to venture out a bit on this one.
BTW, do you know any way to "trace" a packet through the firewall rules so you can see how each rule affects the way netfilter deals with it ?
Thanks again.
 
Old 01-21-2004, 04:42 PM   #9
palmercabel
Member
 
Registered: Oct 2003
Posts: 64

Original Poster
Rep: Reputation: 15
Surely the DBA gods are visiting their wrath upon Me for My many sins...

Today I simply tried it all over again, and everything is working. There was one behavioral difference that probably explains it.

Prior to today, /etc/init.d/iptables restart produced only one line of response:
Flushing all current rules and user defined chains: [OK]

Today, after the response above, 2 additional lines appeared:
Clearing all current rules and user defined chains: [OK]
Applying iptables firewall rules: [OK]

so..it appears that iptables was not cleanly restarting and was not in a predictable state. I am unable to account for this change in behavior without references to continental drift, phases of the moon, undocumented alterations in the speed of light, or unexplained perturbations in entropy.

Now dig seems perfectly happy talking to My DNS server, the sun is shining, the air is brisk and cool, and this DBA is, as usual, confused and clueless but noding His head pretending He is completly aware of and in control of all things. That must be My cue to brew some more Chai Tea.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dig command questions DNS emailssent Linux - Networking 2 09-24-2004 09:27 AM
dig command questions DNS emailssent Linux - Networking 3 09-22-2004 05:56 AM
DNS newbie cant get dig to work on RH9 palmercabel Linux - Networking 4 01-16-2004 05:35 PM
wrong dns ip w/ dig. registrar's fault? SerfurJ Linux - Networking 4 01-09-2004 12:08 PM
dns question (dig maybe) lenlutz Linux - Networking 2 10-03-2003 07:26 AM


All times are GMT -5. The time now is 09:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration