LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 09-11-2004, 07:50 PM   #1
scottman
Member
 
Registered: Jul 2004
Location: USA
Distribution: Slackware, FreeBSD, LFS
Posts: 72

Rep: Reputation: 15
Trying to read named.conf forwarders info in bash script.


I am trying to read forwarders from my named.conf file
for use in an iptables script. I was wondering if anyone
knows an easier way to get this information, This is what I
am using now:
# grep -A 10 forwarders /etc/named.conf | grep -m 1 -B 10 \} | tr -d [:alpha:]\;\{\}

It outputs the ips with two blank lines. I don't know how to trim off
the blank lines and the whitespace without calling yet another
program.

It seems there should be an easier way to get then since they
between {} brackets in a structure:
Code:
     forwarders{
              ipaddress
              ipaddress
              ipaddress
       };          

Following is the function I am trying to use it in.  The if construct helps me by
weeding out the blank lines, and making sure I don't try to
enter a rule if I dont have any forwarders if the /etc/named.conf
file, or use only local interface in /etc/resolv.conf.

Any advice on how I could do this more efficiently (anything in there actually)
would be appreciated.

LANFACE=eth1
INTFACE=eth0

function dns_allow()
{
    for i in {tcp,udp};do
#    echo "Debugging $i"
      $IPT -A INPUT -i $LANFACE -p $i --dport 53 --sport 53 -j ACCEPT
       $IPT -A OUTPUT -o $LANFACE -p $i --dport 53 --sport 53 -j ACCEPT
	
       awk '/nameserver/&&!/127.0.0.1/{print $2}' /etc/resolv.conf | \
       while read j;do
	  if [[ "$j" != "" ]];then      
 	  $IPT -A INPUT -i $INTFACE -s $j -p $i --dport 53 --sport 53 -j ACCEPT
	  $IPT -A OUTPUT -o $INTFACE -d $j -p $i --dport 53 --sport 53 -j ACCEPT
	  $IPT -A FORWARD -d $j -p $i --dport 53 --sport 53 -j ACCEPT
	  $IPT -A FORWARD -s $j -p $i --dport 53 --sport 53 -j ACCEPT
	  fi
       done

       grep -A 10 forwarders /etc/named.conf | grep -m 1 -B 10 \} | \
                                               tr -d [:alpha:]\;\{\} | \
       while read j;do
	  if [[ "$j" != "" ]];then
          $IPT -A INPUT -i $INTFACE -s $j -p $i --dport 53 --sport 53 -j ACCEPT
	  $IPT -A OUTPUT -o $INTFACE -d $j -p $i --dport 53 --sport 53 -j ACCEPT
	  fi	 
       done
   done
}

Last edited by scottman; 09-11-2004 at 08:01 PM.
 
Old 09-11-2004, 08:31 PM   #2
odious1
Member
 
Registered: Jun 2003
Location: Virginia, USA
Distribution: Slackware
Posts: 252

Rep: Reputation: 30
Are your forwarders going to change so often that you need a script for you firewall? Couldn't you open that port for outgoing packets that originate locally anyway?
 
Old 09-11-2004, 08:52 PM   #3
scottman
Member
 
Registered: Jul 2004
Location: USA
Distribution: Slackware, FreeBSD, LFS
Posts: 72

Original Poster
Rep: Reputation: 15
Well my aims are to

When running BIND:
1.) Allow my network to query BIND (my 127.0.0.1
rules are loaded elsewhere)
2.) Allow my BIND to query only forwarders

To do this my resolv.conf reads only 127.0.0.1,
nameservers can be commented out with #.
I pull forwarders from named.conf.

When not running BIND:
1) Allow forwarding of traffic directly to nameservers.
2) Allow server to query nameserver directly, instead of
through bind.

To do this I uncomment or add nameservers to resolv.conf.
Rename my named.conf or delete fowarders from it.

This make my firewall reconfigure itself when I mess with
BIND configuration. It also allows for very specific rules on port 53.
 
Old 09-11-2004, 09:14 PM   #4
odious1
Member
 
Registered: Jun 2003
Location: Virginia, USA
Distribution: Slackware
Posts: 252

Rep: Reputation: 30
Alright, it makes more sense to me now but it still seems like the long way around. I see no reason to restrict any traffic destined for port 53 that originates locally or on your internal network. Why can't you open up 53 to all outgoing traffic and set resolv.conf with your bind server listed first and your forwarders 2nd and 3rd. If you are running bind your clients will check your machine first whether you are answering queries or fowarding. If bind is not running they will simply look to your alternate servers.

I am always a little leary of scripts that change firewall rules as if you cant tell :-)
 
Old 09-11-2004, 09:38 PM   #5
scottman
Member
 
Registered: Jul 2004
Location: USA
Distribution: Slackware, FreeBSD, LFS
Posts: 72

Original Poster
Rep: Reputation: 15
I want my firewall to allow only very specific dns traffic
The only dns traffic I allow is queries from
the local network to the server running the firewall,
and queries from the server to the external ISP forwarders.
This keeps me from leaving 53 open to outside issues,
and allows me to drop and log queries attempting to go
to dns servers not in my named.conf or resolv.conf.
Basically it help keeps me from being queried, and me from
querying unknown nameservers unless I specifically
decide to.
I'm still learning the ins and outs of BIND, and think a strong dns
ruleset may provide some protection against a misconfiguration.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reading a conf file from a BASH script dinolinux Programming 5 08-03-2005 04:18 AM
Help with BASH script PLEASE READ!!! hroman Programming 7 10-08-2004 07:39 PM
Update DNS forwarders in named.conf automatically? linuxuser2005 Linux - Networking 3 08-21-2004 03:26 PM
cannot find named.conf and /var/named kaushikma Red Hat 1 02-07-2004 12:49 PM
(Bash) Saving READ values in external .conf files spikylee Linux - Newbie 4 10-28-2003 06:46 AM


All times are GMT -5. The time now is 07:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration