LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-06-2017, 04:18 AM   #1
fropa
LQ Newbie
 
Registered: Oct 2017
Posts: 4

Rep: Reputation: Disabled
outgoing DNS with iptables


I've configured " :OUTPUT DROP " rule in iptables.After that, I tried standard rules for outgoing DNS.

-A OUTPUT -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

I've tried also without state on udp and tried :

-A INPUT -s 8.8.8.8 -j ACCEPT
-A OUTPUT -d 8.8.8.8 -j ACCEPT

but it not worked too.

How can I fix that?
 
Old 12-06-2017, 02:16 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,064
Blog Entries: 14

Rep: Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248Reputation: 1248
What distro and version of Linux are you running?

Does this server run firewalld? Did you directly edit iptables rather than using firewalld?

Can you list "iptables -nL" so we can see all your rules?

Last edited by MensaWater; 12-06-2017 at 04:10 PM.
 
Old 12-07-2017, 12:57 AM   #3
fropa
LQ Newbie
 
Registered: Oct 2017
Posts: 4

Original Poster
Rep: Reputation: Disabled
It is Red Hat 4.4.7-17 ( I installed Freepbx 13 from iso ).

here is iptables rules.

Quote:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-FTP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80
fail2ban-SIP all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-BadBots tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-recidive all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000 state NEW,ESTABLISHED
ACCEPT tcp -- X.X.X.X/29 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT tcp -- 193.0.6.135 0.0.0.0/0 tcp dpt:43 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 state NEW,ESTABLISHED
ACCEPT all -- X.X.X.X 0.0.0.0/0 state NEW,ESTABLISHED
ACCEPT all -- X.X.X.X 0.0.0.0/0 state NEW,ESTABLISHED
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sundayddr" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sipsak" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sipvicious" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "friendly-scanner" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "iWar" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sip-scan" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "hinet.net" ALGO name kmp TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sipcli" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "VaxSIPUserAgent" ALGO name kmp TO 65535
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
ACCEPT udp -- X.X.X.X 0.0.0.0/0 udp dpt:161 state NEW,ESTABLISHED
ACCEPT icmp -- X.X.X.X 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED
ACCEPT udp -- X.X.X.X 0.0.0.0/0 udp dpt:5060 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state NEW,ESTABLISHED
LOG_DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X multiport sports 80,8022 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X multiport sports 80,8022 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X multiport sports 80,8022 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X multiport sports 80,8022 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:10000:20000 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X/29 multiport sports 80,8022 state ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X tcp spt:43 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state ESTABLISHED
ACCEPT all -- 0.0.0.0/0 X.X.X.X state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 X.X.X.X state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X tcp spt:80 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 X.X.X.X udp spt:161 state ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 X.X.X.X icmp type 0 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 X.X.X.X udp spt:5060 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:5060 state NEW,ESTABLISHED

Chain ACCEPTSIP (0 references)
target prot opt source destination

Chain LOG_DROP (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `--DROP--:'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain SIPCLI (9 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `--SIPCLI--:'
DROP all -- 0.0.0.0/0 0.0.0.0/0
 
  


Reply

Tags
dns, drop, iptables, outgoing, rule


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPTables rule for outgoing? szboardstretcher Linux - Networking 3 12-07-2010 10:38 AM
iptables and outgoing connections Dutchy_ Linux - Security 8 10-30-2009 02:48 PM
iptables blocking outgoing DNS requests laurensb Linux - Security 1 10-29-2009 11:48 AM
where is the outgoing dns ip stored? Maldain Mandriva 1 04-26-2006 02:17 PM
Sendmail and outgoing dns mylde Linux - Networking 0 01-26-2003 03:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration