LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-22-2012, 06:19 AM   #1
wolfbeast71
LQ Newbie
 
Registered: Feb 2012
Posts: 4

Rep: Reputation: Disabled
Question Combined iptables filtering+redirecting question for DNS


Hi everyone.

I'm running my own authoritative DNS server for my own domains, and I've been dealing with an ongoing problem of DNS amplification attacks using the ANY query type. Considering the world should never have to do ANY queries against my server, I want to filter this out.

However: BIND doesn't have a mechanism for that. (I'm running BIND on Windows for this, on a multi-purpose server - the amount of queries doesn't require a fine-tuned O.S.)

I've now set up the following to work around this: A local installation of Linux in a VM to have access to iptables (which seems to be the only thing able to filter on strings in any packet) running debian (console) using a bridged eth0 interface in the same subnet as the host server.

My question: How do I setup this Linux VM by using iptables to filter the incoming UDP packets by string ("ANY") and redirect the allowed packets to the ip address of the host server? i.e.:
1) accept UDP packets on port 53
2) filter out (drop) packets including the string "ANY"
3) redirect the allowed packets to the host OS at a different LAN ip
4) process the answers (allow all) to go back out to the internet (is this needed?)

I still need to have the original IP addresses arriving at my DNS server, it should not be translated to the Linux LAN IP since I need to be able to monitor the queries and see the originating IPs - the linux VM should be transparent.

If it can't be done with a bridged interface in the LAN subnet, I could possibly make it a 2 NIC router setup, as well, with the public IP in the LAN and a private IP shared only with the host (and my DNS server listening on that subnet) - but I have no clue how to set that up in Linux; the related man pages are unintelligible for me as well.

Help, please? Thanks in advance!
 
Old 02-23-2012, 07:04 AM   #2
wolfbeast71
LQ Newbie
 
Registered: Feb 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Ah, apparently I'd have to filter on "*" and not "ANY" to begin with. Would that be too generic?
 
Old 02-24-2012, 06:28 AM   #3
wolfbeast71
LQ Newbie
 
Registered: Feb 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Simpler

I just realized i can make things simpler and use BIND in the Linux VM instead - although I'd need a way to monitor system messages and queries from named in that case (preferably redirected to the host so i can use my fav even viewer for that, or a way to use debugview to monitor what happens in the VM - I want my colors ).

I should just be able to filter the incoming packets on UDP 53 for query type=* requests in that case. How would I do that in iptables on the VM?
 
Old 02-26-2012, 07:34 PM   #4
wolfbeast71
LQ Newbie
 
Registered: Feb 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
I've gone for a different solution, so marking this solved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables REDIRECTing TheCrow33 Linux - Networking 1 12-07-2010 08:44 PM
iptables question with OpenVPN (tun0 to tun0 filtering) fang0654 Linux - Server 3 09-30-2009 03:17 AM
Filtering and Redirecting Emails with Sendmail cipher7836 Linux - Newbie 1 07-24-2009 11:15 AM
iptables redirecting Murdock1979 Linux - Networking 6 05-22-2006 07:31 PM
Question about redirecting using IPTABLES bdogg Linux - Networking 3 01-03-2006 12:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration