LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-06-2017, 03:18 AM   #1
fropa
LQ Newbie
 
Registered: Oct 2017
Posts: 8

Rep: Reputation: Disabled
outgoing DNS with iptables


I've configured " :OUTPUT DROP " rule in iptables.After that, I tried standard rules for outgoing DNS.

-A OUTPUT -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

I've tried also without state on udp and tried :

-A INPUT -s 8.8.8.8 -j ACCEPT
-A OUTPUT -d 8.8.8.8 -j ACCEPT

but it not worked too.

How can I fix that?
 
Old 12-06-2017, 01:16 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,327
Blog Entries: 15

Rep: Reputation: 1344Reputation: 1344Reputation: 1344Reputation: 1344Reputation: 1344Reputation: 1344Reputation: 1344Reputation: 1344Reputation: 1344Reputation: 1344
What distro and version of Linux are you running?

Does this server run firewalld? Did you directly edit iptables rather than using firewalld?

Can you list "iptables -nL" so we can see all your rules?

Last edited by MensaWater; 12-06-2017 at 03:10 PM.
 
Old 12-06-2017, 11:57 PM   #3
fropa
LQ Newbie
 
Registered: Oct 2017
Posts: 8

Original Poster
Rep: Reputation: Disabled
It is Red Hat 4.4.7-17 ( I installed Freepbx 13 from iso ).

here is iptables rules.

Quote:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-FTP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80
fail2ban-SIP all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-BadBots tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-recidive all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000 state NEW,ESTABLISHED
ACCEPT tcp -- X.X.X.X/29 0.0.0.0/0 multiport dports 80,8022 state NEW,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT tcp -- 193.0.6.135 0.0.0.0/0 tcp dpt:43 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 state NEW,ESTABLISHED
ACCEPT all -- X.X.X.X 0.0.0.0/0 state NEW,ESTABLISHED
ACCEPT all -- X.X.X.X 0.0.0.0/0 state NEW,ESTABLISHED
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sundayddr" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sipsak" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sipvicious" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "friendly-scanner" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "iWar" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sip-scan" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "hinet.net" ALGO name kmp TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sipcli" ALGO name bm TO 65535
SIPCLI udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "VaxSIPUserAgent" ALGO name kmp TO 65535
ACCEPT tcp -- X.X.X.X 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
ACCEPT udp -- X.X.X.X 0.0.0.0/0 udp dpt:161 state NEW,ESTABLISHED
ACCEPT icmp -- X.X.X.X 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED
ACCEPT udp -- X.X.X.X 0.0.0.0/0 udp dpt:5060 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state NEW,ESTABLISHED
LOG_DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X multiport sports 80,8022 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X multiport sports 80,8022 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X multiport sports 80,8022 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X multiport sports 80,8022 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:10000:20000 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X/29 multiport sports 80,8022 state ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X tcp spt:43 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state ESTABLISHED
ACCEPT all -- 0.0.0.0/0 X.X.X.X state NEW,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 X.X.X.X state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 X.X.X.X tcp spt:80 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 X.X.X.X udp spt:161 state ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 X.X.X.X icmp type 0 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 X.X.X.X udp spt:5060 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:5060 state NEW,ESTABLISHED

Chain ACCEPTSIP (0 references)
target prot opt source destination

Chain LOG_DROP (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `--DROP--:'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain SIPCLI (9 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `--SIPCLI--:'
DROP all -- 0.0.0.0/0 0.0.0.0/0
 
Old 12-19-2017, 06:58 AM   #4
fropa
LQ Newbie
 
Registered: Oct 2017
Posts: 8

Original Poster
Rep: Reputation: Disabled
anyone?
 
Old 12-21-2017, 02:20 PM   #5
geppy
LQ Newbie
 
Registered: Dec 2017
Posts: 13

Rep: Reputation: Disabled
Using google DNS is no more safer than using provider DNS. <-- my answer to your question

Using DNSSEC feature of DNS such as unbound, dnsmasq, dnscrpyt-proxy on your local machine with 127.x.x.x ip (lo interface) is disquarage because TOOOOO many things are using this lo(loopback) crap.
Do not download and install these programs from their native websites. Use repository in you distribution as it perform GPG security check.

You need to setup separate computer without gui to use DNSSEC. And unless your are ready to do that stick with your current default setup or you'll be 'hacked' (= u were hacked long time before that) more often to discourage you from new setup.
You can probably put defence against QUANTUM Insert and TLS handshake decryption on this computer as well - the only thing that prevents HTTPS beeing secure in my knowledge.

Last edited by geppy; 12-21-2017 at 02:21 PM.
 
Old 12-21-2017, 02:42 PM   #6
geppy
LQ Newbie
 
Registered: Dec 2017
Posts: 13

Rep: Reputation: Disabled
"iptables -A OUTPUT" inserts at the end of iptables ruleset
this rule may be blocked by earlier rules

"iptables -I OUTPUT 1" inserts at the beginning (#1) of iptables ruleset
never blocker by any earlier rules
except
by raw and mangle tables

the 2 partial rules above are equwalent to
"iptables -t filter -A OUTPUT"
"iptables -t filter -I OUTPUT 1"

Last edited by geppy; 12-21-2017 at 02:44 PM.
 
  


Reply

Tags
dns, drop, iptables, outgoing, rule


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPTables rule for outgoing? szboardstretcher Linux - Networking 3 12-07-2010 09:38 AM
iptables and outgoing connections Dutchy_ Linux - Security 8 10-30-2009 01:48 PM
iptables blocking outgoing DNS requests laurensb Linux - Security 1 10-29-2009 10:48 AM
where is the outgoing dns ip stored? Maldain Mandriva 1 04-26-2006 01:17 PM
Sendmail and outgoing dns mylde Linux - Networking 0 01-26-2003 02:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration