LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Ipchains and UDP (https://www.linuxquestions.org/questions/linux-networking-3/ipchains-and-udp-8928/)

mikeyt_3333 11-19-2001 02:19 PM
Ipchains and UDP
 
K, I know that ipchains with the -y flag combined with a TCP port will say that only those TCP packets with the SYN flag are affected, or in other words only those TCP packets looking to make an initial connection will be affected. Doesn't UDP have something like that? I need to find a way to block UDP connections above 1024, but I need to block only new connections coming in, cause BIND uses a randomn port above 1024 for dealing with DNS, and if I simply block all incoming connections via UDP to ports above 1024 my DNS no longer works. Any ideas?

Thanks.
Mike.

sancho5 11-19-2001 03:49 PM
i think you may be on the wrong path with this one. DNS doesn't use incoming connections above port 1024 in it's communication. The binding to the unpriveleged port you are seeing is more likely an outbound connection to the client on that port.. you may want to check this one out more fully.
Or, I may be mistaken.

mikeyt_3333 11-19-2001 04:07 PM
I have had problems with others understanding this also, if I do a netstat -alnp this is what I get for named or my DNS daemon:

tcp 0 0 XX.XX.XX.XX:53 0.0.0.0:* LISTEN 7213/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7213/named

udp 0 0 0.0.0.0:1043 0.0.0.0:* 7213/named
udp 0 0 XX.XX.XX.XX:53 0.0.0.0:* 7213/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 7213/named

So as you can see named is running of UDP port 1043, and if I block incoming traffic on this port then DNS doesn't work at all. But you will also notice that named is also bound to port 53 TCP and UDP. I have yet to find an explenation for this except that if I do a service named restart it will bind to this port again. This is not my server connecting out to the world using this port, I know this cause when I use the following ipchains line:

ipchains -A input -p UDP -d XX.XX.XX.XX 1024: -l -j REJECT

All of the logged packets resulting from this rule say that a computer is connecting INTO my computer from their server using a source port of 53. So what it looks like is my DNS sends the query and they respond from their port 53 into this reserved random port. Now what I want to do is block any un-requested traffic from accessing this port, and the only way to do this is by using a flag that would only work if the UDP connection was being initiated and not in response to a request, similar to a TCP "-y" option in ipchains.

Hope this clarifies a bit, and thankyou for the response.

Mike.

mikeyt_3333 11-20-2001 10:11 AM
anybody else?

xanthium 11-22-2001 12:51 AM
Will this help ?
 
Hi ,

Unlike TCP, UDP doesnt have a connection state with it.
So there is no way you can verify the establishment of connection as far as UDP is conecerned !!!

Basically DNS lookups are done over UDP. The exceptions occurs when a clients querys a server and the response is to big to fit in a UDP packet in which case a flag is set and retry is done over TCP .

Supposing you want only your machine to do dns lookups to external world , you can allow for

output chain :
-s : < ur_ip 1024:5535>
-d : < dns_serv_ip 53>
-p : udp

(Similarly for -p : tcp )

input chain :
-d : < ur_ip 1024:5535>
-s : < dns_serv_ip 53>
-p : udp

(Similarly for -p : tcp )


Supposing you want to allow remote DNS lookups to your server you would allow on :

Input chain 1
-s : 0.0.0.0/0 1024:65535
-d :<ur_ip_addr > 53
-p : udp

Input chain 2
-s : 0.0.0.0/0 53
-d :<ur_ip_addr > 53
-p : udp

(Similarly for -p : tcp )


Ouput chain 1
-s : <Ur_Ip_Addr> 53
-d :0.0.0.0 1024:65535
-p : udp


Ouput chain 2
-s : <Ur_Ip_Addr> 53
-d :0.0.0.0 53
-p : udp

(Similarly for -p : tcp )


iam not sure this will help because i think you must be well versed with the working of DNS but have included the info just
for the sake of it.

Alternatively you can try migrating to IPTables .... although i havent used it but it offers much more flexibility than ipchains.



Regards ,
Xanthium.

raz 11-23-2001 04:54 AM
Xanthium is right, no SYN flag will show on an inbound UDP packet as it's an Unreliable datagram-Centric Transport Protocol. "i.e no circuit is made"

However all is not lost, you need a stateful firewall to do what your looking for.

iptables will do this by keeping an out going connection map and only allow responses from UDP packets that your resolve DNS requests made in the first place. Anyone who fakes one inbound will have it Rejected.

/Raz


All times are GMT -5. The time now is 12:05 AM.