LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-25-2006, 11:07 PM   #1
rickylim
Member
 
Registered: Jan 2006
Location: Malaysia
Distribution: RedHat & FreeBSD
Posts: 68

Rep: Reputation: 15
iptables - for dns


Hi, good day.

I am very new to iptables, currently i am setting up BIND server.

My questions is:-
1) How do i configure in my iptables to allow only few range of ip (Eg: 172.16.X.X and 172.17.X.X..etc..) to resolve dns to my BIND server?

Below is my current iptables setting..

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Please advice.

Thanks!
 
Old 10-26-2006, 04:26 PM   #2
fordeck
Member
 
Registered: Oct 2006
Location: Utah
Posts: 520

Rep: Reputation: 61
You can take care of this in your /etc/named.conf file. These statements can be applied globally or to individual zones.

Code:
options {
      allow-query { 172.16/16; 172.17/16; }
};
or for a particular zone

Code:
acl "HP-NET" { 16/8; };

zone "hp.com" {
     type slave;
     file "ns.hp.com";
     masters { 16.254.151.3; };
     allow-query { "HP-NET"; };
};

Last edited by fordeck; 10-27-2006 at 07:08 AM.
 
Old 11-11-2006, 05:32 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by rickylim
How do i configure in my iptables to allow only few range of ip (Eg: 172.16.X.X and 172.17.X.X..etc..) to resolve dns to my BIND server?
it would go something like this (assuming these rules will be run on the DNS server itself, and that your INPUT policy is set to DROP, as is recommended):
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p UDP -i $IFACE --dport 53 -s 172.16.0.0/16 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p UDP -i $IFACE --dport 53 -s 172.17.0.0/16 \
-m state --state NEW -j ACCEPT
replace $IFACE with the actual name of the interface your DNS is listening on...
 
Old 11-17-2006, 02:20 AM   #4
rickylim
Member
 
Registered: Jan 2006
Location: Malaysia
Distribution: RedHat & FreeBSD
Posts: 68

Original Poster
Rep: Reputation: 15
Thanks fordeck and win32sux, that's really help.. you guys are awesome for sharing. Appreciate that.

Again, thanks for help :-)

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables and DNS IBall Linux - Security 6 03-03-2006 05:08 AM
iptables and DNS ujotne Linux - Security 8 09-12-2005 07:49 AM
dns not working with iptables aqoliveira Linux - Security 3 01-20-2005 08:39 AM
DNS and IPTABLES cuco76 Linux - Networking 9 02-07-2004 09:12 PM
DNS Problems with iptables dubman Linux - Networking 1 08-01-2003 11:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration