LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-08-2007, 02:37 PM   #1
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Rep: Reputation: 15
Iptables and DNS server trouble in LAN


Hi

My setup is a Cisco 806 router, serving up 5 static IPs in my home network. Behind this Cisco sits my Debian server which has IPTABLES on, and has a static IP on its own. Paralell to this I have my WLan router with yet another public IP. Behind that I have my laptop.
[HTML]
CISCO (.65)
I
I
Switch
___________I____________
I I
I I
Server (.68) WLan (.67)
I
I
Laptop (192.168.1.100)
[/HTML]IP range (static)

x.x.x.64/29
Cisco x.x.x.65
WLan x.x.x.67
Server x.x.x.68

WLan router serves up through DHCP x.x.x.68 as primary DNS server.

When I flush (clear) IPtables, DNS resolves like a charm from behind the WLan router. This I need for short names for my networked devices, and also some name resolution for corporate VPN that I connect to.

When my IPtables is applied, DNS is not working from behind the WLan. I can still telnet through port 53 towards the server from my laptop.

This is my IPTABLES, if I missed something, please let me know.

Thanks

Ben

Code:
# Generated by iptables-save v1.2.11 on Tue Mar  6 12:02:53 2007
*filter
:INPUT ACCEPT [4:642]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 127.0.0.0 -d x.x.x.68 -j ACCEPT
-A INPUT -d x.x.x.68 -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -d x.x.x.68 -p icmp -j ACCEPT
-A INPUT -s x.x.x.64/255.255.255.248 -d x.x.x.68 -p tcp -m tcp --dport 1
39 -j ACCEPT
-A INPUT -d x.x.x.68 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Mar  6 12:02:53 2007

Last edited by bence8810; 03-08-2007 at 02:43 PM.
 
Old 03-08-2007, 04:24 PM   #2
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 62
Not a iptables expert by far but looks like you need a dnat rules setup. Check this post for a start.

Brian
 
Old 03-09-2007, 12:16 AM   #3
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Original Poster
Rep: Reputation: 15
Hi Brian,

Like yourself, I am also not a big expert on IPTABLES yet unfortunately. I had a quick look at DNAT, and it seems DNAT is when you need an addres translated from your private IP to a public IP.

The server is own a public (external static) IP, and the laptop is on a private IP behind a router which is on an other public IP. So If I need NAT, I think I need it on the router side, but I can still be wrong of course.

When I disable the IPTABLES, all is working, so I dont think its on the WLAN side, but rather on the DNS server side with IPTABLES.

If DNAT is in fact what I need, then I dont completely understand it. If someone has any thoughts, please share with me.

Thanks

Ben
 
Old 03-10-2007, 01:45 AM   #4
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Original Poster
Rep: Reputation: 15
Hi

I have a temporary, but not desired fix.

I applied the following rule to IPTABLES, to accept all traffic coming from my network (8 static IPs)
Code:
-A INPUT -s x.x.x.64/255.255.255.248 -d x.x.x.68 -j ACCEPT
I dont really like having this, if someone can come up with an idea how to only allow DNS lookups from my network, I would really appreciate it.

Thanks

Ben
 
Old 03-10-2007, 05:38 AM   #5
alienux
Member
 
Registered: Sep 2006
Location: Dayton, Ohio
Distribution: Slackware 12, Fedora Core, PCLinuxOS
Posts: 194

Rep: Reputation: 30
Make sure you have UDP port 53 open, not just TCP port 53. UDP is what is primarily used for DNS lookups.
 
Old 03-10-2007, 03:21 PM   #6
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Original Poster
Rep: Reputation: 15
Hi

Thanks, that was easy. Works like a charm.

Port 53 poses any threats to hackers? I have this DNS server only serving internal requests, I suppose I should lock it to only source my network?

Thanks

Ben
 
Old 03-10-2007, 09:07 PM   #7
alienux
Member
 
Registered: Sep 2006
Location: Dayton, Ohio
Distribution: Slackware 12, Fedora Core, PCLinuxOS
Posts: 194

Rep: Reputation: 30
Quote:
Originally Posted by bence8810
Hi

Thanks, that was easy. Works like a charm.

Port 53 poses any threats to hackers? I have this DNS server only serving internal requests, I suppose I should lock it to only source my network?

Thanks

Ben
Yes, as long as your DNS server has a route to the 13 root servers, and it is allowed outbound on UDP and TCP 53 (TCP 53 is used in rare occasions), thats all you need. Opening port 53 in would allow others to use your server as an open DNS server for lookups. Unless your hosting public DNS records, you should keep it closed to public access.
 
Old 03-12-2007, 06:01 AM   #8
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Original Poster
Rep: Reputation: 15
Hi

I do have access to outside DNS servers, so I guess I am good blocking other access.

Now that you are mentioning Outgoing access, I guess I am not blocking anything yet. What should I do about it? So far, as I can see, only incoming connections are blocked by my firewall rule.

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:ssh
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:smtp
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:ftp
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:domain
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:www
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:pop3
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:imap2
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:https
ACCEPT     tcp  --  anywhere             myserverFQDN tcp dpt:3000
ACCEPT     icmp --  anywhere             myserverFQDN
ACCEPT     all  --  127.0.0.0            myserverFQDN
ACCEPT     all  --  x.x.x.64/29          myserverFQDN
REJECT     all  --  anywhere             myserverFQDN reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
Is there anything else I should restrict? The server is behind a Cisco with pretty strict rules.

Sorry for the beginner questions, this is the first time I have my Public IP range set up, and thus the server is on its own live IP, and not behind a 2nd router.

Thanks

Ben
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dns Server Inside A Lan JustMoi Linux - Networking 5 10-26-2006 01:00 AM
Need help setting up LAN DNS server digity Linux - Networking 4 07-01-2006 06:49 AM
lan with 2000server DNS AND IPTABLES TAAN Linux - Networking 1 12-12-2003 04:37 PM
How do you make the ip masquerade server/dhcp server broadcast dns to lan cmisip Linux - Networking 6 01-25-2003 10:43 PM
iptables trouble, LAN to MySQL on Firewall dwynter Linux - Security 3 11-01-2002 06:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration