LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-19-2001, 03:19 PM   #1
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Rep: Reputation: 15
Ipchains and UDP


K, I know that ipchains with the -y flag combined with a TCP port will say that only those TCP packets with the SYN flag are affected, or in other words only those TCP packets looking to make an initial connection will be affected. Doesn't UDP have something like that? I need to find a way to block UDP connections above 1024, but I need to block only new connections coming in, cause BIND uses a randomn port above 1024 for dealing with DNS, and if I simply block all incoming connections via UDP to ports above 1024 my DNS no longer works. Any ideas?

Thanks.
Mike.
 
Old 11-19-2001, 04:49 PM   #2
sancho5
Member
 
Registered: Jul 2001
Location: Utah
Distribution: RedHat v7.3, OpenBSD 3.3, FreeBSD 5.0
Posts: 327

Rep: Reputation: 30
i think you may be on the wrong path with this one. DNS doesn't use incoming connections above port 1024 in it's communication. The binding to the unpriveleged port you are seeing is more likely an outbound connection to the client on that port.. you may want to check this one out more fully.
Or, I may be mistaken.
 
Old 11-19-2001, 05:07 PM   #3
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
I have had problems with others understanding this also, if I do a netstat -alnp this is what I get for named or my DNS daemon:

tcp 0 0 XX.XX.XX.XX:53 0.0.0.0:* LISTEN 7213/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7213/named

udp 0 0 0.0.0.0:1043 0.0.0.0:* 7213/named
udp 0 0 XX.XX.XX.XX:53 0.0.0.0:* 7213/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 7213/named

So as you can see named is running of UDP port 1043, and if I block incoming traffic on this port then DNS doesn't work at all. But you will also notice that named is also bound to port 53 TCP and UDP. I have yet to find an explenation for this except that if I do a service named restart it will bind to this port again. This is not my server connecting out to the world using this port, I know this cause when I use the following ipchains line:

ipchains -A input -p UDP -d XX.XX.XX.XX 1024: -l -j REJECT

All of the logged packets resulting from this rule say that a computer is connecting INTO my computer from their server using a source port of 53. So what it looks like is my DNS sends the query and they respond from their port 53 into this reserved random port. Now what I want to do is block any un-requested traffic from accessing this port, and the only way to do this is by using a flag that would only work if the UDP connection was being initiated and not in response to a request, similar to a TCP "-y" option in ipchains.

Hope this clarifies a bit, and thankyou for the response.

Mike.
 
Old 11-20-2001, 11:11 AM   #4
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
anybody else?
 
Old 11-22-2001, 01:51 AM   #5
xanthium
Member
 
Registered: Apr 2001
Location: Bombay ( INDIA )
Distribution: RedHat 7.x
Posts: 218

Rep: Reputation: 30
Will this help ?

Hi ,

Unlike TCP, UDP doesnt have a connection state with it.
So there is no way you can verify the establishment of connection as far as UDP is conecerned !!!

Basically DNS lookups are done over UDP. The exceptions occurs when a clients querys a server and the response is to big to fit in a UDP packet in which case a flag is set and retry is done over TCP .

Supposing you want only your machine to do dns lookups to external world , you can allow for

output chain :
-s : < ur_ip 1024:5535>
-d : < dns_serv_ip 53>
-p : udp

(Similarly for -p : tcp )

input chain :
-d : < ur_ip 1024:5535>
-s : < dns_serv_ip 53>
-p : udp

(Similarly for -p : tcp )


Supposing you want to allow remote DNS lookups to your server you would allow on :

Input chain 1
-s : 0.0.0.0/0 1024:65535
-d :<ur_ip_addr > 53
-p : udp

Input chain 2
-s : 0.0.0.0/0 53
-d :<ur_ip_addr > 53
-p : udp

(Similarly for -p : tcp )


Ouput chain 1
-s : <Ur_Ip_Addr> 53
-d :0.0.0.0 1024:65535
-p : udp


Ouput chain 2
-s : <Ur_Ip_Addr> 53
-d :0.0.0.0 53
-p : udp

(Similarly for -p : tcp )


iam not sure this will help because i think you must be well versed with the working of DNS but have included the info just
for the sake of it.

Alternatively you can try migrating to IPTables .... although i havent used it but it offers much more flexibility than ipchains.



Regards ,
Xanthium.
 
Old 11-23-2001, 05:54 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Xanthium is right, no SYN flag will show on an inbound UDP packet as it's an Unreliable datagram-Centric Transport Protocol. "i.e no circuit is made"

However all is not lost, you need a stateful firewall to do what your looking for.

iptables will do this by keeping an out going connection map and only allow responses from UDP packets that your resolve DNS requests made in the first place. Anyone who fakes one inbound will have it Rejected.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RFC 868 udp 37 time-udp gpl SUSE / openSUSE 2 03-31-2005 11:07 AM
tcpdump and UDP Denes Linux - Networking 0 06-22-2004 01:15 PM
How to receive UDP and ICMP packets, by one UDP socket(PMTUD) myself_rajat Linux - Networking 0 05-28-2004 06:43 AM
traceroute + Udp? dunkyb Linux - Security 1 02-18-2003 02:12 PM
IPChains & UDP ports Sonicsone Linux - Networking 9 12-17-2002 02:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration