LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-11-2005, 10:10 AM   #1
ujotne
LQ Newbie
 
Registered: Sep 2003
Posts: 13

Rep: Reputation: 0
iptables and DNS


Anybody that can see why this iptables script doesn't allow DNS trafic?
DNS (i.e. ping www.debian.org) works when I shut down iptables, but not with the iptables script belowe.

# ****************** iptables initial configuration file ******************
###########################################################################
#DHCP_CLIENT="0" # Use static IP-addresses

DMZ_INTERFACE="eth0" # Network interface
LOOPBACK_INTERFACE="lo" # Local area network interface

DMZ_IPADDR="10.0.0.4" # Firewall DMZ IP-address
DMZ_ADDRESSES="10.0.0.0/24" # DMZ IP-address range
#DMZ_NETWORK="10.0.0.64" # DMZ subnet base address
DMZ_BROADCAST="10.0.0.127" # DMZ broadcast address

DNS_SERVER_1="217.13.4.21" # DNS-server 1
DNS_SERVER_2="217.13.7.136" # DNS-server 2

###########################################################################

LOOPBACK="127.0.0.0/8" # Reserved loop-bacl address range
CLASS_A="10.0.0.0/8" # Class A private network
CLASS_B="172.16.0.0/12" # Class B private network
CLASS_C="192.168.0.0/16" # Class C private network
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses

BROADCAST_SRC="0.0.0.0" # Broadcast source addresses
BROADCAST_DEST="255.255.255.255" # Broadcast destination addresses

PRIVPORTS="0:1023" # Privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range

###########################################################################
#
# Enabling kernel-monitoring support
#
###########################################################################

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source routed packages
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Enable TCP SYN cookie protection
echo > 1 /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

# Do not send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Drop spoofed packets coming in on an interface, which if replied to,
# would result in the reply going out on a different interface
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

###########################################################################
#
# Flush chains and set up default plycies
#
###########################################################################

# Flush all chains
OL
/RUL
es --flush
iptables -t nat --flush
iptables -t mangle --flush

# Allow unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set default policy of forward, input and output chain to DROP
# (reject everything)
iptables --policy FORWARD DROP
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP

#iptables -t nat -P PREROUTING DROP
#iptables -t nat -P OUTPUT DROP
#iptables -t nat -P POSTROUTING DROP

#iptables -t mangle --policy PREROUTING DROP
#iptables -t mangle --policy OUTPUT DROP

# Remove and pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

###########################################################################
#
# STEALT SCANS AND TCP STATE FLAGS
#
# Testing for common forms of TCP stealt scans.
# The 1st list of bits lists the bits to be tested. Out of these,
# the 2nd list of bits lists the bits that must be set to match the list
#
###########################################################################

# All bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are booth set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are booth set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN and RST are booth set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN is the only bit set, without the expected accompanying ACK bit
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is the only bit set, without the expected accompanying ACK bit
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is the only bit set, without the expected accompanying ACK bit
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

###########################################################################
#
# Connection tracking
#
###########################################################################

# Specifying the state match for previously initiated and accepted exchanges
# enables us to bypass the firewall tests for ongoing exchanges. The initial
# request remains controlled by the service's spesific filter, though.

# Using the state module alone, INVALID vil break protocols that use
# bi-directional connections or multiple connections or exchanges,
# unless an ALG (Application Level Gateway) is provided for the protocol.
# For the time beeing, FTP seems to be the only protocol with ALG support.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID input: "
iptables -A INPUT -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID output: "
iptables -A OUTPUT -m state --state INVALID -j DROP

###########################################################################
#
# BLOCK SOURCE ADDRESS SPOOFING AND OTHER DODGY ADDRESSES
#
###########################################################################

# Refuse spoofed packets pretending to be from this machine
# Packets from the firewall IP-addresses do not make sense
iptables -A INPUT -i $DMZ_INTERFACE -s $DMZ_IPADDR -j DROP

# Refuse packets claiming to be from the loop-back interface
iptables -A INPUT -i $DMZ_INTERFACE -s $LOOPBACK -j DROP

# Drop packets from the DMZ that do not come from outside addresses
#iptables -A INPUT -i $DMZ_INTERFACE -s $LAN_ADDRESSES -j DROP

# Refuse packets claiming to be from a private networks
# The DMZ is a Class A network, so the following line must be
# commented out.
#iptables -A INPUT -i $DMZ_INTERFACE -s $CLASS_A -j DROP
iptables -A INPUT -i $DMZ_INTERFACE -s $CLASS_B -j DROP
iptables -A INPUT -i $DMZ_INTERFACE -s $CLASS_C -j DROP


# DROP packes that do not have local source addresses
#iptables -A OUTPUT -o $DMZ_INTERFACE -s ! $DMZ_IPADDR -j DROP

# Refuse malformed broadcast packets
iptables -A INPUT -i $DMZ_INTERFACE -s $BROADCAST_DEST -j LOG
iptables -A INPUT -i $DMZ_INTERFACE -s $BROADCAST_DEST -j DROP
iptables -A INPUT -i $DMZ_INTERFACE -d $BROADCAST_SRC -j LOG
iptables -A INPUT -i $DMZ_INTERFACE -d $BROADCAST_SRC -j DROP

# Refuse Class D multicast addresses, which are illegal as source addresses.
# Legitime multicast packets are always UDP packets and are sent point-to-point,
# as other UDP messages. The difference between unicast and multicast packets
# is the class of destination addresses used (and the protocol flag carried
# in the Ethernet header).
# The next rules denies multicast non-UDP packets and accepts multicast UDP-packets.
iptables -A INPUT -i $DMZ_INTERFACE -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $DMZ_INTERFACE -p ! udp -d $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $DMZ_INTERFACE -p udp -d $CLASS_D_MULTICAST -j ACCEPT

# Refuse packets from Class E reserved IP addresses
iptables -A INPUT -i $DMZ_INTERFACE -s $CLASS_E_RESERVED_NET -j DROP

# Refuse packets from addresses defined as reserves by the IANA
# 0.*.*.* # Cannot be blocked unilaterally with DHCP
# 169.254.0.0/16 # Link local network
# 192.0.2.0/24 # TEST-NET

iptables -A INPUT -i $DMZ_INTERFACE -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i $DMZ_INTERFACE -s 192.254.0.0/16 -j DROP
iptables -A INPUT -i $DMZ_INTERFACE -s 192.0.2.0/24 -j DROP

###########################################################################
#
# ICMP Control and Status messages
#
###########################################################################

# Log and drop initial ICMP fragments
iptables -A INPUT --fragment -p icmp -j LOG \
--log-prefix "Fragmented incomming ICMP: "
iptables -A INPUT --fragment -p icmp -j DROP

iptables -A OUTPUT --fragment -p icmp -j LOG \
--log-prefix "Fragmented outgoing ICMP: "
iptables -A OUTPUT --fragment -p icmp -j DROP

iptables -A INPUT -p icmp \
--icmp-type source-quench -j ACCEPT

iptables -A OUTPUT -p icmp \
--icmp-type source-quench -j ACCEPT

iptables -A INPUT -p icmp \
--icmp-type parameter-problem -j ACCEPT

iptables -A OUTPUT -p icmp \
--icmp-type parameter-problem -j ACCEPT

iptables -A INPUT -p icmp \
--icmp-type destination-unreachable -j ACCEPT

#iptables -A OUTPUT -o $DMZ_INTERFACE -p icmp \
iptables -A OUTPUT -o $DMZ_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-j ACCEPT
# -d $DMZ_ADDRESSES -j ACCEPT

iptables -A OUTPUT -p icmp \
--icmp-type fragmentation-needed -j ACCEPT

# Do not log dropped outgoing ICMP messages
iptables -A OUTPUT -p icmp \
--icmp-type destination-unreachable -j DROP

# Intermediate traceroute responses
#iptables -A OUTPUT -o $DMZ_INTERFACE -p icmp \
iptables -A OUTPUT -p icmp \
--icmp-type time-exceeded -j DROP

# Allow outgoing pings to anywhere
#iptables -A OUTPUT -o $DMZ_INTERFACE -p icmp \
iptables -A OUTPUT -p icmp \
--icmp-type echo-request \
-m state --state NEW -j ACCEPT

# Allow incomming pings
#iptables -A INPUT -i $DMZ_INTERFACE -p icmp \
iptables -A INPUT -p icmp \
--icmp-type echo-request \
-m state --state NEW -j ACCEPT
# -s $LAN_ADDRESSES \

###########################################################################
#
# DEFINE FILTER RULES
#
###########################################################################

# ===========================================================================
# Allow incomming ssh connection from friendly machine on LAN (TCP port 22)
# ===========================================================================
iptables -A INPUT -i $DMZ_INTERFACE -p tcp \
--sport $UNPRIVPORTS \
--dport 22 \
-m state --state NEW -j ACCEPT
# -s $LAN_ADDRESSES

# ===========================================================================
# Allow HTTP (TCP port 80)
# ===========================================================================
iptables -A INPUT -i $DMZ_INTERFACE -p tcp \
--sport $UNPRIVPORTS --dport 80 \
-m state --state NEW -j ACCEPT

# ===========================================================================
# Allow requests to extern DNS-servers (UDP port 53)
# The TCP connection is included for teh rare occation that when the loock-up
# response do not fit in the DNS UDP datagram.
# ===========================================================================
iptables -A OUTPUT -p udp \
-d $DNS_SERVER_1 --dport 53 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -p udp \
-d $DNS_SERVER_2 --dport 53 \
-m state --state NEW -j ACCEPT

# ===========================================================================
# Allow (NTP) Network Time Protocol (UDP 123)
# ===========================================================================
iptables -A OUTPUT -o $DMZ_INTERFACE -p udp \
-s $DMZ_IPADDR --sport $UNPRIVPORTS \
--dport 123 \
-m state --state NEW -j ACCEPT

# ===========================================================================
# Logging dropped packages
# ===========================================================================
iptables -A INPUT -i $DMZ_INTERFACE -j LOG
iptables -A OUTPUT -o $DMZ_INTERFACE -j LOG

###########################################################################
# Set up NAT
###########################################################################
iptables -t nat -A POSTROUTING -o $DMZ_INTERFACE -j SNAT --to 10.0.0.4
###########################################################################

exit 0
 
Old 09-11-2005, 12:14 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
You have a lot of rules that require state to be new. I wonder if some of the states may exist as something other than new, established, or related. Try removing the state matching from the UDP 53 rules.
 
Old 09-11-2005, 01:18 PM   #3
ujotne
LQ Newbie
 
Registered: Sep 2003
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by Matir
You have a lot of rules that require state to be new. I wonder if some of the states may exist as something other than new, established, or related. Try removing the state matching from the UDP 53 rules.
Made no differense.
 
Old 09-11-2005, 02:34 PM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
And I assume your firewall logs are not showing anything?
 
Old 09-12-2005, 02:45 AM   #5
deloptes
Member
 
Registered: Feb 2004
Location: AT
Distribution: debian etch and SUSE 10.2
Posts: 123

Rep: Reputation: 15
You have rules for sending (OUTGOING) on port 53 but not for receiving PREROUTING
I have never seen rules for POSTROUTING too.
Hope this code will help
Code:
#Allow DNS (port 53 TCP and UDP)
        echo -n "=> Enable DNS (port 53 TCP and UDP) ... "
        $IPT -t nat -A POSTROUTING -o $EXTIF -p UDP \
               -m udp --dport 53 -j ACCEPT
        $IPT -t nat -A PREROUTING -i $EXTIF -p UDP \
               -m udp --sport 53 -j ACCEPT
        $IPT -t nat -A OUTPUT -o $EXTIF -p UDP \
               -m udp --dport 53 -j ACCEPT
        $IPT -t nat -A POSTROUTING -o $EXTIF -p TCP \
               -m tcp --dport 53 -j ACCEPT
        $IPT -t nat -A PREROUTING -i $EXTIF -p TCP \
               -m tcp --sport 53 -j ACCEPT
        $IPT -t nat -A OUTPUT -o $EXTIF -p TCP \
               -m tcp --dport 53 -j ACCEPT
        echo " done."
at least it dows on my system
 
Old 09-12-2005, 05:10 AM   #6
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,286

Rep: Reputation: 62
I see that you only have one interface declared so I take it this is on a workstation with a single network card and not on a router, correct me if i'm wrong. You have some rules there that you don't need:

iptables --policy FORWARD DROP
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -t mangle --policy PREROUTING DROP

These are only used if you have 2 network cards, not a single network card. Having a single network card will only use INPUT and OUTPUT chains.
 
Old 09-12-2005, 06:06 AM   #7
deloptes
Member
 
Registered: Feb 2004
Location: AT
Distribution: debian etch and SUSE 10.2
Posts: 123

Rep: Reputation: 15
this is part of my router (firewall) iptables configuration
there is another INTIF but you dont put anything there conserning DNS

regards
 
Old 09-12-2005, 07:44 AM   #8
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
It's for a firewall? Then do 'iptables -A FORWARD -p udp --dport 53 -j ACCEPT'. You need to allow things on the FORWARD chain.
 
Old 09-12-2005, 07:49 AM   #9
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,286

Rep: Reputation: 62
ok so it's a router, to route packets to the internal network you need to use the FORWARD chains. The INPUT and OUTPUT chains are only used for local processes on the firewall itself. The FORWARD chains works for the interface device you are forwarding too so you will need your INTIF, Try:

iptables -A FORWARD -o $INTIF -p udp -s $DNS_SERVER_1 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $INTIF -p udp -s $DNS_SERVER_2 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables +DNS routing? rincewind Linux - Networking 2 03-17-2005 03:57 AM
dns not working with iptables aqoliveira Linux - Security 3 01-20-2005 08:39 AM
iptables firewall and DNS? guitarman85281 Linux - Software 2 09-20-2004 08:37 PM
DNS and IPTABLES cuco76 Linux - Networking 9 02-07-2004 09:12 PM
DNS Problems with iptables dubman Linux - Networking 1 08-01-2003 11:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration