LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Which iptables chain controls access to DNS (port 53)
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-24-2018, 10:04 PM   #1
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Rep: Reputation: 174Reputation: 174
Which iptables chain controls access to DNS (port 53)

I am running a CentOS 7 box with two NICs as a router/firewall/DHCP etc. By examining the firewall with iptables -L I have observed that firewalld has taken the three basic chains INPUT, FORWARD and OUTPUT and spawned off additional chains for the various zones.

For example I guess that the chain IN_public_deny would contain a list of addresses of packets accessing the public zone which should be dropped. I created a rich rule
Quote:
firewall-cmd --add-rich-rule="rule family='ipv4' source address='10.42.0.217' drop" --zone=public
and now see this
Code:
Chain IN_public_deny (1 references)
target     prot opt source               destination         
DROP       all  --  10.42.0.217          anywhere
This prevents the computer at 10.42.0.217 from connecting to the firewall box with ssh or pinging the firewall box. However, the node computer can connect to the Internet.

I inserted a rule in the main FORWARD chain using iptables (should have used firewall-cmd --direct ... but have not figured that out yet.) The rule is here
Code:
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  10.42.0.217          anywhere            
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
This prevents the node computer from connecting to the Internet for example with a web browser or pinging an Internet IP address.
Code:
[ken@localhost Desktop]$ ping 85.12.30.226
PING 85.12.30.226 (85.12.30.226) 56(84) bytes of data.
^C
--- 85.12.30.226 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8173ms

[ken@localhost Desktop]$ ping www.centos.org
PING www.centos.org (85.12.30.226) 56(84) bytes of data.
^C
--- www.centos.org ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7338ms
In the first case, the ping by IP address never returned. In the second case the name www.centos.org was resolved and then the ping never returned.

The connection on the host points to the firewall box 10.42.0.1 as the primary DNS, However I have, successfully I think, prevented the node from contacting the firewall box directly or routing traffic through the firewall box to the Internet. My question is... how do I block access to DNS which is being provided by/through the firewall box?

TIA,

Ken

p.s. Zenmap (nmap gui) shows
Code:
PORT   STATE SERVICE VERSION
53/tcp open  domain  dnsmasq 2.76
when I scan against the firewall box from the node computer.
 
Old 03-25-2018, 08:06 PM   #2
frankbell
LQ Guru
Contributing Member
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,317
Blog Entries: 28

Rep: Reputation: 6140Reputation: 6140Reputation: 6140Reputation: 6140Reputation: 6140Reputation: 6140Reputation: 6140Reputation: 6140Reputation: 6140Reputation: 6140Reputation: 6140
This article looks as if might be helpful: https://www.cyberciti.biz/faq/iptables-block-port/
 
Old 03-25-2018, 08:11 PM   #3
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
Thank you frankbell,

That looks like it may do the trick. I will try and post back.

Ken
 
Old 03-25-2018, 08:44 PM   #4
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
I added two rules. One for tcp (which did not do the trick) and one for udp which DID stop the subject computer from accessing DNS
Code:
[root@taylor16 ken]iptables -I INPUT -i enp0s20u1 -p tcp --destination-port 53 -s 10.42.0.217 -j DROP
[root@taylor16 ken]iptables -I INPUT -i enp0s20u1 -p udp --destination-port 53 -s 10.42.0.217 -j DROP

[root@taylor16 ken]# iptables -L INPUT -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      179 12777 DROP       udp  --  enp0s20u1 *       10.42.0.217          0.0.0.0/0            udp dpt:53
2        0     0 DROP       tcp  --  enp0s20u1 *       10.42.0.217          0.0.0.0/0            tcp dpt:53
Still, I wonder why my rich rule - which I believe should have blocked all ports for the IP address of interest. Perhaps the rich rule only dealt with tcp by default? At least I now know that blocking port53 on udb does the trick. I will put things back to where I started and use the -n option when listing with iptables and see what the rich rule REALLY did.

Thanks again frankbell.

Ken
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables: port 53 blocked but server resolve DNS query n03x3c Linux - Security 9 06-29-2010 10:19 AM
On what basis CHAIN integer values are generated in IPtables under iptables file? haariseshu Linux - Server 3 11-05-2009 04:25 AM
[SOLVED] Rather huge IPtables chain, iptables: Memory allocation problem. Gangrif Linux - Networking 10 09-11-2009 03:30 PM
iptables good packet chain (instead of bad packet chain) win32sux Linux - Security 6 11-06-2008 06:02 AM
IPtables - allow access by dns names only adambaum Linux - Security 1 09-12-2004 03:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:50 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration