LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   Trying to read named.conf forwarders info in bash script. (https://www.linuxquestions.org/questions/programming-9/trying-to-read-named-conf-forwarders-info-in-bash-script-229498/)

scottman 09-11-2004 07:50 PM
Trying to read named.conf forwarders info in bash script.
 
I am trying to read forwarders from my named.conf file
for use in an iptables script. I was wondering if anyone
knows an easier way to get this information, This is what I
am using now:
# grep -A 10 forwarders /etc/named.conf | grep -m 1 -B 10 \} | tr -d [:alpha:]\;\{\}

It outputs the ips with two blank lines. I don't know how to trim off
the blank lines and the whitespace without calling yet another
program.

It seems there should be an easier way to get then since they
between {} brackets in a structure:
Code:
    forwarders{
              ipaddress
              ipaddress
              ipaddress
      };         

Following is the function I am trying to use it in.  The if construct helps me by
weeding out the blank lines, and making sure I don't try to
enter a rule if I dont have any forwarders if the /etc/named.conf
file, or use only local interface in /etc/resolv.conf.

Any advice on how I could do this more efficiently (anything in there actually)
would be appreciated.

LANFACE=eth1
INTFACE=eth0

function dns_allow()
{
    for i in {tcp,udp};do
#    echo "Debugging $i"
      $IPT -A INPUT -i $LANFACE -p $i --dport 53 --sport 53 -j ACCEPT
      $IPT -A OUTPUT -o $LANFACE -p $i --dport 53 --sport 53 -j ACCEPT
       
      awk '/nameserver/&&!/127.0.0.1/{print $2}' /etc/resolv.conf | \
      while read j;do
          if [[ "$j" != "" ]];then     
          $IPT -A INPUT -i $INTFACE -s $j -p $i --dport 53 --sport 53 -j ACCEPT
          $IPT -A OUTPUT -o $INTFACE -d $j -p $i --dport 53 --sport 53 -j ACCEPT
          $IPT -A FORWARD -d $j -p $i --dport 53 --sport 53 -j ACCEPT
          $IPT -A FORWARD -s $j -p $i --dport 53 --sport 53 -j ACCEPT
          fi
      done

      grep -A 10 forwarders /etc/named.conf | grep -m 1 -B 10 \} | \
                                              tr -d [:alpha:]\;\{\} | \
      while read j;do
          if [[ "$j" != "" ]];then
          $IPT -A INPUT -i $INTFACE -s $j -p $i --dport 53 --sport 53 -j ACCEPT
          $IPT -A OUTPUT -o $INTFACE -d $j -p $i --dport 53 --sport 53 -j ACCEPT
          fi       
      done
  done
}

odious1 09-11-2004 08:31 PM
Are your forwarders going to change so often that you need a script for you firewall? Couldn't you open that port for outgoing packets that originate locally anyway?

scottman 09-11-2004 08:52 PM
Well my aims are to

When running BIND:
1.) Allow my network to query BIND (my 127.0.0.1
rules are loaded elsewhere)
2.) Allow my BIND to query only forwarders

To do this my resolv.conf reads only 127.0.0.1,
nameservers can be commented out with #.
I pull forwarders from named.conf.

When not running BIND:
1) Allow forwarding of traffic directly to nameservers.
2) Allow server to query nameserver directly, instead of
through bind.

To do this I uncomment or add nameservers to resolv.conf.
Rename my named.conf or delete fowarders from it.

This make my firewall reconfigure itself when I mess with
BIND configuration. It also allows for very specific rules on port 53.

odious1 09-11-2004 09:14 PM
Alright, it makes more sense to me now but it still seems like the long way around. I see no reason to restrict any traffic destined for port 53 that originates locally or on your internal network. Why can't you open up 53 to all outgoing traffic and set resolv.conf with your bind server listed first and your forwarders 2nd and 3rd. If you are running bind your clients will check your machine first whether you are answering queries or fowarding. If bind is not running they will simply look to your alternate servers.

I am always a little leary of scripts that change firewall rules as if you cant tell :-)

scottman 09-11-2004 09:38 PM
I want my firewall to allow only very specific dns traffic
The only dns traffic I allow is queries from
the local network to the server running the firewall,
and queries from the server to the external ISP forwarders.
This keeps me from leaving 53 open to outside issues,
and allows me to drop and log queries attempting to go
to dns servers not in my named.conf or resolv.conf.
Basically it help keeps me from being queried, and me from
querying unknown nameservers unless I specifically
decide to.
I'm still learning the ins and outs of BIND, and think a strong dns
ruleset may provide some protection against a misconfiguration.


All times are GMT -5. The time now is 06:18 PM.