LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-24-2010, 07:57 PM   #1
jbbenni
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Rep: Reputation: 0
Question iptables blocking port 53 unexpectedly on a dual NIC Fedora install


On a Fedora 12 box with two NICs, I am trying to achieve this behavior:
All ports should be open on eth0 (which is on the LAN side)
Only ports 80 and 22 should be open on eth1 (which is the WAN side - although there's some port forwarding magic elsewhere).

Here's my /var/sysconfig/iptables:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The symptom is that when I run BIND on this box, LAN clients attempting to access through eth0 (using port 53) get timeouts. However, if I stop iptables, clients succeed as expected.

I thought the line "-A INPUT -i eth0 -j ACCEPT" would accept any an all traffic through eth0. Any ideas what I'm doing wrong, or how to troubleshoot?
 
Old 04-24-2010, 09:10 PM   #2
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
You should not use REJECT for all traffic that does not match, as it opens you up for DOS. At least rate-limit it using the rate module.

Try removing the INPUT -j REJECT rule, so iptables should be allowing everything through everywhere and see if you still get the timeouts.

If that doesn't work help enable the rule again and run 'tcpdump -i eth0 port 53' and post the output.

One trick I use when debugging iptables is to make a specific rule what what I think the traffic should match, and then run 'watch' on 'iptables -vnL'. This will give you a realtime update on what rules are matching.
Set up some rules to match for our BIND traffic:
Code:
iptables -I INPUT -p udp --dport 53 -j ACCEPT
iptables -I OUTPUT -p udp --sport 53 -j ACCEPT
Watch the counters on the left.
watch --interval 0 'iptables -vnL | grep -v "0 0"'
('grep -v' removes any lines that match '0 0' which is an iptables rule with no matches yet. You might not need that unless you have lots of rules)

Last edited by SuperJediWombat!; 04-24-2010 at 09:18 PM.
 
1 members found this post helpful.
Old 04-25-2010, 10:19 AM   #3
jbbenni
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Thumbs up

Thanks, SJW, particularly for the technique to watch which rules are triggering in real time. That's a very slick trick!

I added the rule you suggested to accept udp on port 53 and it triggers correctly. I still have no idea why the rule to accept all input on interface eth0 almost never triggers (I have seen it trigger once, but not in response to anything I did). Any ideas on what's wrong with that rule would be appreciated. I understood the rules are evaluated in order, and the interface check precedes the upd/port-53 check, so why doesn't the interface rule fire?
 
Old 04-26-2010, 02:56 AM   #4
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
It will only trigger for new traffic because you have a rule at the top accepting all established/related traffic. So the first packet in a stream from eth0 should match the rule, then all other packets will match established/related.

With the rule accepting port 53 in place, does the DNS still timeout?
 
Old 04-26-2010, 10:01 AM   #5
jbbenni
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Very helpful, again. With the rule for port 53 in place, the client timeouts are eliminated. Thank you!
 
Old 04-26-2010, 08:16 PM   #6
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
That rule was mostly for debugging, at the moment it is allowing 53 in from your external interface as well.

Can you post this from some of your clients:
Code:
cat /etc/resolve.conf
 
Old 04-27-2010, 08:21 AM   #7
jbbenni
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Original Poster
Rep: Reputation: 0
cat /etc/resolv.conf shows this:

nameserver 192.168.1.203 # the LAN address of my BIND server
nameserver 208.67.222.222 # OpenDNS primary DNS
nameserver 208.67.220.220 # OpenDNS secondary DNS

or, on another group of machines, this:
nameserer 192.168.1.254 # The LAN address of my router, also a DHCP server

The DHCP server has the local address (...203) as the primary DNS and has OpenDNS as a secondary.

In order to close 53 to the public, I changed the rule for port 53 to specify the LAN interface (eth0):
-A INPUT -p udp -i eth0 --dport 53 -j ACCEPT

Make sense?
 
  


Reply

Tags
bind, fedora, interface, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -- Transparent Proxy with port blocking. rahuljethwa Linux - Networking 1 12-17-2008 01:38 AM
iptables blocking 7327 port santhosh.linux Linux - Security 2 10-09-2006 09:09 AM
Question about port blocking with Iptables GUIPenguin Linux - Networking 2 10-11-2004 07:25 PM
Iptables blocking all traffic on other NIC spede Linux - Security 3 05-05-2004 06:37 PM
iptables - advanced port blocking/stealth mode siymann Linux - Security 1 10-26-2001 06:21 AM


All times are GMT -5. The time now is 10:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration