LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Which iptables chain controls access to DNS (port 53) (https://www.linuxquestions.org/questions/linux-networking-3/which-iptables-chain-controls-access-to-dns-port-53-a-4175626268/)

taylorkh 03-24-2018 10:04 PM
Which iptables chain controls access to DNS (port 53)
 
I am running a CentOS 7 box with two NICs as a router/firewall/DHCP etc. By examining the firewall with iptables -L I have observed that firewalld has taken the three basic chains INPUT, FORWARD and OUTPUT and spawned off additional chains for the various zones.

For example I guess that the chain IN_public_deny would contain a list of addresses of packets accessing the public zone which should be dropped. I created a rich rule
Quote:
firewall-cmd --add-rich-rule="rule family='ipv4' source address='10.42.0.217' drop" --zone=public
and now see this
Code:
Chain IN_public_deny (1 references)
target    prot opt source              destination       
DROP      all  --  10.42.0.217          anywhere
This prevents the computer at 10.42.0.217 from connecting to the firewall box with ssh or pinging the firewall box. However, the node computer can connect to the Internet.

I inserted a rule in the main FORWARD chain using iptables (should have used firewall-cmd --direct ... but have not figured that out yet.) The rule is here
Code:
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
DROP      all  --  10.42.0.217          anywhere           
ACCEPT    all  --  anywhere            10.42.0.0/24        state RELATED,ESTABLISHED
ACCEPT    all  --  10.42.0.0/24        anywhere           
ACCEPT    all  --  anywhere            anywhere           
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable
ACCEPT    all  --  anywhere            anywhere            ctstate RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere           
FORWARD_direct  all  --  anywhere            anywhere           
FORWARD_IN_ZONES_SOURCE  all  --  anywhere            anywhere           
FORWARD_IN_ZONES  all  --  anywhere            anywhere           
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere            anywhere           
FORWARD_OUT_ZONES  all  --  anywhere            anywhere           
DROP      all  --  anywhere            anywhere            ctstate INVALID
REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited
This prevents the node computer from connecting to the Internet for example with a web browser or pinging an Internet IP address.
Code:
[ken@localhost Desktop]$ ping 85.12.30.226
PING 85.12.30.226 (85.12.30.226) 56(84) bytes of data.
^C
--- 85.12.30.226 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8173ms

[ken@localhost Desktop]$ ping www.centos.org
PING www.centos.org (85.12.30.226) 56(84) bytes of data.
^C
--- www.centos.org ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7338ms
In the first case, the ping by IP address never returned. In the second case the name www.centos.org was resolved and then the ping never returned.

The connection on the host points to the firewall box 10.42.0.1 as the primary DNS, However I have, successfully I think, prevented the node from contacting the firewall box directly or routing traffic through the firewall box to the Internet. My question is... how do I block access to DNS which is being provided by/through the firewall box?

TIA,

Ken

p.s. Zenmap (nmap gui) shows
Code:
PORT  STATE SERVICE VERSION
53/tcp open  domain  dnsmasq 2.76
when I scan against the firewall box from the node computer.

frankbell 03-25-2018 08:06 PM
This article looks as if might be helpful: https://www.cyberciti.biz/faq/iptables-block-port/

taylorkh 03-25-2018 08:11 PM
Thank you frankbell,

That looks like it may do the trick. I will try and post back.

Ken

taylorkh 03-25-2018 08:44 PM
I added two rules. One for tcp (which did not do the trick) and one for udp which DID stop the subject computer from accessing DNS
Code:
[root@taylor16 ken]iptables -I INPUT -i enp0s20u1 -p tcp --destination-port 53 -s 10.42.0.217 -j DROP
[root@taylor16 ken]iptables -I INPUT -i enp0s20u1 -p udp --destination-port 53 -s 10.42.0.217 -j DROP

[root@taylor16 ken]# iptables -L INPUT -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num  pkts bytes target    prot opt in    out    source              destination       
1      179 12777 DROP      udp  --  enp0s20u1 *      10.42.0.217          0.0.0.0/0            udp dpt:53
2        0    0 DROP      tcp  --  enp0s20u1 *      10.42.0.217          0.0.0.0/0            tcp dpt:53
Still, I wonder why my rich rule - which I believe should have blocked all ports for the IP address of interest. Perhaps the rich rule only dealt with tcp by default? At least I now know that blocking port53 on udb does the trick. I will put things back to where I started and use the -n option when listing with iptables and see what the rich rule REALLY did.

Thanks again frankbell.

Ken


All times are GMT -5. The time now is 09:55 PM.