Firewall solution for DNS

aq_mishu · 04-08-2006, 03:36 PM

Hi, i'm strucked. help me please. Here is the situation: I have a caching only name server. I used to resolv ips from this machine and it also resolves ips from other machine. I could do in the iptables as follows...

Code:

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p udp -i eth0 -s-port 53 -s 0/0 -d $MYDNS -d-port 53 -j ACCEPT

Here if i do so, my pc can resolv from my DNS server using udp 53. Now, when this dns server will need to resolv something, it will use a port (not udp 53 but may b something > 1024) to resolv it. Now since no output rules are applied, the request for resolving ip from the DNS server will go out but it'll not come in since i'm not stating any port to allow for that. what's the solution. I need it badly and if i cannot make you understand, let me know...

gilead · 04-08-2006, 05:03 PM

With iptables you can have NEW/ESTABLISHED connections with the UDP protocol. So you could have something like the following, but modified for your setup:

Code:

iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p UDP -i eth0 --sport 53 -m state --state ESTABLISHED     -j ACCEPT

I believe you can also force bind to use port 53 instead of an unprivileged port for the source of outgoing queries by having the following in the options section of /etc/named.conf:

Code:

query-source address * port 53;

aq_mishu · 04-09-2006, 12:41 AM

Thanx a lot... I think now i may get some solution...

So what can be the script for this? Do not need to write all those modprobs... just the ruse sets... can u write them for me... that willhelp me to understand more clearely...
like:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp -i eth0 -s 0/0 --sport 80 -d $MYSERV --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -s 0/0 --sport 53 -d $MYSERV --dport 53 -j ACCEPT

Now do i need to add

iptables -A INPUT -p UDP -i eth0 --sport 53 -m state --state ESTABLISHED -j ACCEPT

with the bold one or only the last one? And since there is no rules for the output chain, do i need to add
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

I just wanna clear...

I also get noticed that tcp 53 is also used for DNS... is it?? i only know that udp 53 is used for this...

And i already set for query source port... but no result.. iptraf shows me unpriviliged results for when my dns starts to resolv form somewhere else...

gilead · 04-09-2006, 04:50 AM

I'm only looking at your DNS rules at the moment. So with your INPUT/FORWARD policies set, you only need to have:

Code:

iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -A INPUT  -p UDP -i eth0 --sport 53 -m state --state ESTABLISHED     -j ACCEPT
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

YOu don't need to worry about TCP on port 53, UDP is all that is necessary.

aq_mishu · 04-09-2006, 09:24 AM

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p UDP -i eth0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

It's okk.. but do i need also...
ipt -P OUTPUT DROP

or i will use just
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
??? I'm not setting any rules for default for the output chain... but after that i'm only allowing the new and estublished connections for output right?? Well... i need to do a lot experiment. but afterall, thatx a lot for your kind help...

aq_mishu · 04-09-2006, 09:28 AM

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p UDP -i eth0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

i'm gonna use them... and check... if fail, i'll let u know... and ohhh... since i'm blocking all inputs, i also need to open ssh... so will that need with -m state or simply
ipt -A INPUT -p tcp -i eth0 -s 0/0 --sport 22 -j ACCEPT

??

gilead · 04-09-2006, 02:25 PM

If you use a policy of iptables -P OUTPUT DROP, then you could also add the following to simplify rule creation:

Code:

iptables -A OUTPUT -p TCP -o eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p UDP -o eth0 -m state --state ESTABLISHED -j ACCEPT

This just says to accept packets for connections that have already been established by allowed incoming connections.
If you're running an SSH server you'd have something like:

Code:

iptables -A INPUT -p TCP -i eth0 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

If you're connecting to someone else's SSH server you'd have something like:

Code:

iptables -A OUTPUT -p TCP -o eth0 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Hope that helps...

win32sux · 04-09-2006, 02:49 PM

Quote:

Originally Posted by gilead

If you use a policy of iptables -P OUTPUT DROP, then you could also add the following to simplify rule creation:

Code:

iptables -A OUTPUT -p TCP -o eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p UDP -o eth0 -m state --state ESTABLISHED -j ACCEPT

yeah, and this can be simplified even further with just one rule:

Code:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

win32sux · 04-09-2006, 03:00 PM

if i understand the situation correctly, what you are looking for is the rules to let you run a dns daemon on this box, while at the same time letting the box query other dns daemons, right?? if so, this would do the trick:

Code:

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p UDP -i eth0 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p UDP -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT

remember to flush-out your chains before you run the above rules, or else you'll have old rules in there still...

Code:

iptables -F
iptables -X

as for the FORWARD chain, it doesn't sound like you're using it, so just disable forwarding with sysctl or with a:

Code:

echo "0" > /proc/sys/net/ipv4/ip_forward

aq_mishu · 04-12-2006, 01:43 PM

Quote:

Originally Posted by win32sux

if i understand the situation correctly, what you are looking for is the rules to let you run a dns daemon on this box, while at the same time letting the box query other dns daemons, right?? if so, this would do the trick:

Code:

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p UDP -i eth0 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p UDP -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT

remember to flush-out your chains before you run the above rules, or else you'll have old rules in there still...

Code:

iptables -F
iptables -X

as for the FORWARD chain, it doesn't sound like you're using it, so just disable forwarding with sysctl or with a:

Code:

echo "0" > /proc/sys/net/ipv4/ip_forward

Thanks for this. I was looking for this actually. Since you gave all the stuffs, now may I ask you for something more?? Actually i'm running a DNS, www, mysql and ftp in the same machine. It have to do the work of DNS that i've already told and you also understood. Now, here comes about the www, mysql, ftp and ssh. The box will server dns, www, mysql, ftp and ssh as deamon. So it must have to allow...
<your solution for DNS>
<accept http and https incoming on 80, 443>
<accept ftp on 21 and ssh on 22 and mysql on 3306 for incoming>
<deny any other incoming ports>.
Now, to do so will need something like...
input -m state --state new,estublished,related -j Accept for all those upd and tcps i need
input -m state --state estublished,related -j Accept for already estublished conns by the client on any port for those of input on those ports.
And after that do i need to set any output for that?Since if I want to first block all ports and then allow only a few to make new input and input>estublished for any ports made by the new state...
And since i'm blocking all incoming on any port, so do i have risk if i do not set for output?

Mishu~~

aq_mishu · 04-12-2006, 01:59 PM

Ohh, I forgot to say, This machine is not a NAT box and it must have to allow ping in and out.

win32sux · 04-12-2006, 06:08 PM

Quote:

Originally Posted by aq_mishu

Thanks for this. I was looking for this actually. Since you gave all the stuffs, now may I ask you for something more?? Actually i'm running a DNS, www, mysql and ftp in the same machine. It have to do the work of DNS that i've already told and you also understood. Now, here comes about the www, mysql, ftp and ssh. The box will server dns, www, mysql, ftp and ssh as deamon. So it must have to allow...
<your solution for DNS>
<accept http and https incoming on 80, 443>
<accept ftp on 21 and ssh on 22 and mysql on 3306 for incoming>
<deny any other incoming ports>.
Now, to do so will need something like...
input -m state --state new,estublished,related -j Accept for all those upd and tcps i need
input -m state --state estublished,related -j Accept for already estublished conns by the client on any port for those of input on those ports.
And after that do i need to set any output for that?Since if I want to first block all ports and then allow only a few to make new input and input>estublished for any ports made by the new state...
And since i'm blocking all incoming on any port, so do i have risk if i do not set for output?

Mishu~~

Quote:

Ohh, I forgot to say, This machine is not a NAT box and it must have to allow ping in and out.

okay so want to add INPUT rules for PING, HTTP, HTTPS, FTP, MySQL and SSH... you also apparently want the box to be able to do it's own PINGs to the outside... no problem, just insert a few rules in the script, like this:

Code:

echo "0" > /proc/sys/net/ipv4/ip_forward

/sbin/modprobe ip_conntrack_ftp

iptables -F

iptables -X

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p UDP -i eth0 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 80 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 443 \
-m state --state NEW -j ACCEPT

#iptables -A INPUT -p TCP -i eth0 --dport 3306 \
#-m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 21 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 22 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p UDP -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 \
-m state --state NEW -j ACCEPT

the port 3306 rule is commented cuz i'm not sure if you need that, i mean, usually one has the mysql server listening only on localhost so that it can connect with the local webserver, without a need for any remote clients to connect to it... if you do need the remote clients to connect then just uncomment the rule...

the modprobe loads the iptables module needed for FTP to work... if you have built this support into your kernel then just kill that line...

also, it should be noted that if you have a fairly recent setup, then you might have support for the "multiport" match module, which allows you to specify multiple ports in one rule... so you could eliminate the need to have one rule for each service, like this:

Code:

echo "0" > /proc/sys/net/ipv4/ip_forward

/sbin/modprobe ip_conntrack_ftp

iptables -F

iptables -X

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p UDP -i eth0 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 -m multiport \
--dports 80,443,21,3306,22 -m state --state NEW -j ACCEPT

iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p UDP -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 \
-m state --state NEW -j ACCEPT

i hope this helps... good luck...

aq_mishu · 04-13-2006, 02:11 AM

That's what I was looking for. The second one. I'm gonna implement it and test. But can i heve a suggestion? How can i disable the rndc?? The actual problem was posted in

http://www.linuxquestions.org/questi...d.php?t=434556

win32sux · 04-13-2006, 05:19 AM

Quote:

Originally Posted by aq_mishu

That's what I was looking for. The second one. I'm gonna implement it and test. But can i heve a suggestion? How can i disable the rndc?? The actual problem was posted in

http://www.linuxquestions.org/questi...d.php?t=434556

rndc uses port 953 by default, and since you aren't running a rule to allow connections to that port, rndc access will be denied when you implement these rules... as for disabling the rndc itself, that's not related to your firewall, so you should keep that topic on the other thread...

aq_mishu · 04-13-2006, 05:32 AM

no no... rndc matter is not related to the iptables... and ohh yeah.. i tried with the codes.. but result = 0.

And i've already given the link where i posted the prob about rndc.....