|
Console OUTPUT Strange rc.firewall
Hi I am kinda meddling around with the rc.firewall script
http://www.linuxguruz.com/iptables/s...rewall_023.txt 2 things 1>0 we have our own nameservice running # DNS $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT # DNS $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT I hoped that this would be covered with above lines but with the firewall up nslookup doesn't work anymore and ssh becomes very slow (assuming having no nameservice, falling back to IP) . I have the usual hosts.allow deny thingies in. I have also IP adress range filtering in so I assume that's why it lets me still in even if the DNS goes AWOL. If I have understood this right anyway since I am new to firewalls How do I get DNS named working in iptables :/ besides above lines 2.) Next thing. Our ISP offers console login via ssh funnily enough this is now linked to /etc/log/warn like on a desktop system. I.E. the output generated vi firewall 23 as documented in the file is now on the console. fine for normal desktop systems, but I dont want it there. fp=TCP:1 a=DROP IN=eth0 OUT= MAC=x SRC=x DST=xLEN=64 TOS=0x00 PREC=0x00 TTL=125 ID=22108 DF PROTO=TCP SPT=3984 DPT=135 WINDOW=16960 RES=0x00 SYN URGP=0 I run on a non destop service. I have no idea how the ISP does this, I assume I have to ask. Or and HOW can I allow ttSY0 access for ssh in the firewall and switch the warnings of. The access is two fold first with a ISP determined login that is then channeled to ttsy0. Hope my comments weren't to newbie :( and if they are please teach me :) |
guess for ttyS0:
# SSH serial $IPTABLES -A INPUT -i ttyS0 -p tcp --dport 22 -j TCPACCEPT $IPTABLES -A INPUT -i ttyS0 -p udp --dport 22 -j ACCEPT # SSH serial $IPTABLES -A OUTPUT -o ttyS0 -p tcp --sport 22 -j ACCEPT $IPTABLES -A OUTPUT -o ttyS0 -p udp --sport 22 -j ACCEPT am I correct? :confused: |
another thing,
when firewall is up I did an NMAP scan and it says domain is up 53/TCP open domain ISC BIND 8.3.4-REL :confused: I have to say another guy on our system did the whole named and zone load and I am not so sure if he did it OK . Next thing would anyway be to get the version scanning uneffective. At least the OS version scanning goes awol with that rule set :) Still anyway to kill version scanning on ports? The nmap docus didn't offer much, or I overread :( |
Ok dig @ourserver tells me named is up for outside :) and gives the right answers
but nslookup asking a *rz-ip.net nonauthorative goes awol if the firewall is up. On which port does that go out, or what do I have to do to get that working? |
Tried port forwarding on 53 for that external nameserver to no avail :(
Enterd the unauth DNS of host in /etc/hosts no effect. ##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT there from the beginning No effect :cry: |
Rechecked with dig internal nothing goes out to DNS server default
res_nsend where port and how does that go out ? NB: have checked google :study: |
extended port forwarding to udp
I get: nslookup: Can't find server name for adress xx.xx.xx.xx: no response from server dig: res_nsend to server default -- xx.xx.xx.xx: Connection timed out I thought if xx.xx.xx.xx is in etc/hosts that would be enough in this case :\ |
Now it suddenly works with firewall up :confused:
ssh still taking ages though ... Me not trusting this AT ALL :rolleyes: :scratch: |
Quote:
Just for completion to posteriority on my monologue: This seems to work. The nameserver issue has cleared up after a named reload. |
| All times are GMT -5. The time now is 02:13 PM. |