LinuxQuestions.org - Iptables and DNS server trouble in LAN

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Iptables and DNS server trouble in LAN (https://www.linuxquestions.org/questions/linux-server-73/iptables-and-dns-server-trouble-in-lan-535760/)

Iptables and DNS server trouble in LAN

Hi

My setup is a Cisco 806 router, serving up 5 static IPs in my home network. Behind this Cisco sits my Debian server which has IPTABLES on, and has a static IP on its own. Paralell to this I have my WLan router with yet another public IP. Behind that I have my laptop.
[HTML]
CISCO (.65)
I
I
Switch
___________I____________
I I
I I
Server (.68) WLan (.67)
I
I
Laptop (192.168.1.100)
[/HTML]IP range (static)

x.x.x.64/29
Cisco x.x.x.65
WLan x.x.x.67
Server x.x.x.68

WLan router serves up through DHCP x.x.x.68 as primary DNS server.

When I flush (clear) IPtables, DNS resolves like a charm from behind the WLan router. This I need for short names for my networked devices, and also some name resolution for corporate VPN that I connect to.

When my IPtables is applied, DNS is not working from behind the WLan. I can still telnet through port 53 towards the server from my laptop.

This is my IPTABLES, if I missed something, please let me know.

Thanks

Ben

Code:

# Generated by iptables-save v1.2.11 on Tue Mar  6 12:02:53 2007

*filter

:INPUT ACCEPT [4:642]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 25 -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 110 -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 143 -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -s 127.0.0.0 -d x.x.x.68 -j ACCEPT

-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 3000 -j ACCEPT

-A INPUT -d x.x.x.68 -p icmp -j ACCEPT

-A INPUT -s x.x.x.64/255.255.255.248 -d x.x.x.68 -p tcp -m tcp --dport 1

39 -j ACCEPT

-A INPUT -d x.x.x.68 -j REJECT --reject-with icmp-port-unreachable

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Tue Mar  6 12:02:53 2007

Not a iptables expert by far but looks like you need a dnat rules setup. Check this post for a start.

Brian

Hi Brian,

Like yourself, I am also not a big expert on IPTABLES yet unfortunately. I had a quick look at DNAT, and it seems DNAT is when you need an addres translated from your private IP to a public IP.

The server is own a public (external static) IP, and the laptop is on a private IP behind a router which is on an other public IP. So If I need NAT, I think I need it on the router side, but I can still be wrong of course.

When I disable the IPTABLES, all is working, so I dont think its on the WLAN side, but rather on the DNS server side with IPTABLES.

If DNAT is in fact what I need, then I dont completely understand it. If someone has any thoughts, please share with me.

Thanks

Ben

Hi

I have a temporary, but not desired fix.

I applied the following rule to IPTABLES, to accept all traffic coming from my network (8 static IPs)

Code:

-A INPUT -s x.x.x.64/255.255.255.248 -d x.x.x.68 -j ACCEPT

I dont really like having this, if someone can come up with an idea how to only allow DNS lookups from my network, I would really appreciate it.

Thanks

Ben

Make sure you have UDP port 53 open, not just TCP port 53. UDP is what is primarily used for DNS lookups.

Hi

Thanks, that was easy. Works like a charm.

Port 53 poses any threats to hackers? I have this DNS server only serving internal requests, I suppose I should lock it to only source my network?

Thanks

Ben

Quote:

Originally Posted by bence8810

Yes, as long as your DNS server has a route to the 13 root servers, and it is allowed outbound on UDP and TCP 53 (TCP 53 is used in rare occasions), thats all you need. Opening port 53 in would allow others to use your server as an open DNS server for lookups. Unless your hosting public DNS records, you should keep it closed to public access.

Hi

I do have access to outside DNS servers, so I guess I am good blocking other access.

Now that you are mentioning Outgoing access, I guess I am not blocking anything yet. What should I do about it? So far, as I can see, only incoming connections are blocked by my firewall rule.

Code:

Chain INPUT (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:ssh

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:smtp

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:ftp

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:domain

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:www

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:pop3

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:imap2

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:https

ACCEPT    tcp  --  anywhere            myserverFQDN tcp dpt:3000

ACCEPT    icmp --  anywhere            myserverFQDN

ACCEPT    all  --  127.0.0.0            myserverFQDN

ACCEPT    all  --  x.x.x.64/29          myserverFQDN

REJECT    all  --  anywhere            myserverFQDN reject-with icmp-port-unreachable



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere            state NEW,RELATED,ESTABLISHED

Is there anything else I should restrict? The server is behind a Cisco with pretty strict rules.

Sorry for the beginner questions, this is the first time I have my Public IP range set up, and thus the server is on its own live IP, and not behind a 2nd router.

Thanks

Ben