Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm attempting to lock down my server so any ports I don't want available are closed. A resonable thing to do. However. Like many people, I'm running into an issue with BIND and iptables. I've reviewed what other people have posted and to be honest. I don't understand what they are saying.
First off I'm running a gentoo based system latest release and packages for everything.
I'm planning on running this server primarially for local samba, ftp, apache and ssh access. I want to have apache and ssh access out side of the local network. (Server will be set on our DMZ for our router so it can be accessed outside of our network)
Now that, that has been said let me get you guys some details.
My server's name is littleone. So with out iptables I can type http://littleone/ and it'll bring up my webpage. With iptables on it I get redirected to http://www.littleone.ru/.
here's bind's named.conf
Code:
options {
directory "/var/bind";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
listen-on-v6 { none; };
listen-on { 127.0.0.1; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// if you have problems and are behind a firewall:
query-source address * port 53;
pid-file "/var/run/named/named.pid";
};
// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info
//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "littleone" IN {
type master;
file "pri/littleone.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
and here's my iptables config file
Code:
# Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# webmin
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1020:1030 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1020:1030 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Windows / Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
# up to 5 Bit-torrent connections
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
# Bind DNS Shit
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Tue May 10 08:06:58 2005
I got this from the gentoo-wiki site for setting up iptables and modified it with some stuff I found on various forums.
I'm not sure what's going on with this and I probably have the config's wrong... If you guys need more info let me know and I'll get it to you.
I'm planning on running this server primarially for local samba, ftp, apache and ssh access. I want to have apache and ssh access out side of the local network. (Server will be set on our DMZ for our router so it can be accessed outside of our network)
You don't mention that you want to run a DNS server, for the servers you have listed you don't need to run bind unless you need a DNS server
The only reason I want to run Bind is ease of use for the household. It's easier for someone to type in littleone into their browser then it is for someone to go 192.*.*.*
It's not required, but I want it for ease of use. Now outside of that, I think of it as a learning experience for myself.
The only reason I want to run Bind is ease of use for the household. It's easier for someone to type in littleone into their browser then it is for someone to go 192.*.*.*
It's not required, but I want it for ease of use. Now outside of that, I think of it as a learning experience for myself.
OK for the learning part I can understand that, nothing better than setting something up to get an understanding of it.
But rather than going to all the trouble of setting up a DNS server for a few machines there is an easier way, each one of your machines on the network just put an entry in the /etc/hosts file, say littleone has an ip-address of 192.168.1.100 you would have an entry like this:
192.168.1.100 littleone
Web browsers always check the /etc/hosts file for entries everytime they have a request for an address. Even better idea is if you run a linux gateway just add the entry to the /etc/host file of this machine and it will resolve the name to an ip-address and redirect to the littleone server.
That is all I have done for my home network, I run a mail and web server, and all the mail clients during setup when they ask for the mail server address I just put in 'mail' and don't need to put the actual ip-address
...
But rather than going to all the trouble of setting up a DNS server for a few machines there is an easier way, each one of your machines on the network just put an entry in the /etc/hosts file, ...
Substitute "DHCP" for "DNS" & something appropriate for "/etc/hosts", & you have an argument for not running a DHCP server.
Even though I have "fixed" IP addresses on my LAN, I do it through DHCP reservations, rather than machine by machine configuration. Why? -- centralized administration. Basic principle of data administration: Duplicated data diverges.
I have tried maintaining separate hosts files & it's a PITA. I too am trying to figure out bind (or dnsmasq) to save the trouble.
I added an entry into my /ets/hosts to set the machines local ip to littleone, rebooted the server, and I was experiencing the same problem. So I thought that Bind may have been interfeering with the name resolution. I then changed it to little just to test it out, rebooted, and I still get browser redirects.
The only thing that I can think of is that maybe it's due to the network topology. We've got 4 computers running on a wireless network to our router and then my server is setup via a hard link to the router.
I would like to get BIND working so that iptables doesn't filter out the ports required by bind. but from what I understand bind works on port 53 using TCP and UDP for lower bit connections and for higher ones it useses something in the 10xx range. I'm not sure about this however.
If it helps here's a few updates that I've made along with a netstat and reading from iptables. I looked around at other people's configs and modified my own.
iptables config:
Code:
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A OUTPUT -s 127.0.0.1 -o lo -j ACCEPT
-A INPUT -s 192.168.0.132 -i eth0 -j ACCEPT
# Gentoo Rsync for the "emerge --sync" command.
-A INPUT -s 62.197.40.130 -p tcp --dport 873 -i eth0 -j ACCEPT
-A INPUT -s 134.184.49.5 -p tcp --dport 873 -i eth0 -j ACCEPT
-A INPUT -s 82.129.5.25 -p tcp --dport 873 -i eth0 -j ACCEPT
# Bind DNS server - port 53.
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# webmin
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Windows / Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
# up to 5 Bit-torrent connections
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT
# Loopback interface
-A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
-A INPUT -i lo -s 127.0.0.1 -j ACCEPT
# LOG
-A INPUT -j LOG --log-prefix "[IPTABLES INPUT] : " --log-tcp-options --log-ip-options
-A OUTPUT -j LOG --log-prefix "[IPTABLES OUTPUT] : " --log-tcp-options --log-ip-options
# reject everything else
#-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
named.conf
just changed the listen-on option to include my ip
netstat:
Code:
littleone ~ # netstat -apv --numeric-ports
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 littleone.l1nd:3306 *:* LISTEN 7147/mysqld
tcp 0 0 *:139 *:* LISTEN 7600/smbd
tcp 0 0 *:10000 *:* LISTEN 7685/perl
tcp 0 0 *:80 *:* LISTEN 7266/apache2
tcp 0 0 littleone:53 *:* LISTEN 8147/named
tcp 0 0 littleone.l1nd:53 *:* LISTEN 8147/named
tcp 0 0 *:21 *:* LISTEN 7559/proftpd: (acce
tcp 0 0 *:22 *:* LISTEN 7244/sshd
tcp 0 0 littleone.l1nd:953 *:* LISTEN 8147/named
tcp 0 0 *:445 *:* LISTEN 7600/smbd
tcp 0 0 littleone:22 192.168.0.170:3838 ESTABLISHED 8377/0
udp 0 0 littleone:137 *:* 7604/nmbd
udp 0 0 *:137 *:* 7604/nmbd
udp 0 0 littleone:138 *:* 7604/nmbd
udp 0 0 *:138 *:* 7604/nmbd
udp 0 0 *:10000 *:* 7685/perl
udp 0 0 *:53 *:* 8147/named
udp 0 0 littleone:53 *:* 8147/named
udp 0 0 littleone.l1nd:53 *:* 8147/named
udp 0 0 *:68 *:* 6975/dhcpcd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 12897 7559/proftpd: (acce /var/run/proftpd/proftpd.sock
unix 2 [ ACC ] STREAM LISTENING 11834 6597/syslog-ng /dev/log
unix 2 [ ACC ] STREAM LISTENING 12428 7147/mysqld /var/run/mysqld/mysqld.sock
unix 2 [ ] DGRAM 5923 517/udevd @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 12967 7603/apache2 /var/run/cgisock
unix 3 [ ] STREAM CONNECTED 14315 6597/syslog-ng /dev/log
unix 3 [ ] STREAM CONNECTED 14314 8147/named
unix 3 [ ] STREAM CONNECTED 13095 6597/syslog-ng /dev/log
unix 3 [ ] STREAM CONNECTED 13094 7685/perl
unix 3 [ ] STREAM CONNECTED 13030 6597/syslog-ng /dev/log
unix 3 [ ] STREAM CONNECTED 13029 7645/cron
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
iptables readout:
Code:
littleone ~ # iptables -L -n -v
Chain INPUT (policy DROP 169 packets, 20901 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0
4 958 ACCEPT all -- eth0 * 192.168.0.132 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 62.197.40.130 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- eth0 * 134.184.49.5 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- eth0 * 82.129.5.25 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
1701 158K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
17 816 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:426
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:445
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:6881:6886
0 0 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0
169 20901 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `[IPTABLES INPUT] : '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2240 packets, 1491K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- * lo 127.0.0.1 0.0.0.0/0
2240 1491K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `[IPTABLES OUTPUT] : '
Have you made an iptables script? if so can you post the whole thing. If you are just adding them via the command line I would suggest making a script. Since you are using the NEW,ESTABLISHED,RELATED in your rules you also need to make sure you are loading the ipt_state module, unless it's compiled into the kernel most are compiled as modules so you need to load them.
I'm not sure what you mean by making a script. The iptables config that I have listed in my prev posts is a seperate file. I do have ipt_state and it starts with iptables.
I change my iptable config and then run a custom script:
When I have everything setup right I plan on setting up cron to save iptables config on a daily basis... but until that happens, I'm going to keep asking questions.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
iptables screwing up BIND - Gentoo box
