Re: Iptables Problem on DNS Server

Re: Iptables Problem on DNS Server

[Joe de Vera Jr.]

Message: 2
From: Antony Stone <Antony@Soft-Solutions.co.uk>
Organization: Software Solutions
To: <netfilter@lists.samba.org>
Subject: Re: Iptables problem on DNS Server
Date: Fri, 21 Jun 2002 15:31:05 +0100

On Saturday 22 June 2002 6:29 am, Joe de Vera Jr. wrote:

> hello...
>
> the scenario is this.. my DNS can't resolve when i activate the firewall
on
> this machine..

What rules do you have ?



Antony.


how would i know if what kind of rules do i have?

it just so happen that when i activate my firewall the DNS doesn't work..
but when i deavtivate my firewall it turn back to normal operation...


joe

Re: Iptables Problem on DNS Server

[Ramin Alidousti]

>> What rules do you have ?
>> 
>> 
>> 
>> Antony.
> 
> 
> how would i know if what kind of rules do i have?

You could, eg, cat your firewall script, ie, if you knew
where it was.

Ramin

> it just so happen that when i activate my firewall the DNS doesn't work..
> but when i deavtivate my firewall it turn back to normal operation...
> 
> 
> joe
> 

Re: Iptables Problem on DNS Server

[Nick Drage]

On Fri, Jun 21, 2002 at 01:20:16PM -0400, Ramin Alidousti wrote:
> >> What rules do you have ?
> > 
> > how would i know if what kind of rules do i have?
> 
> You could, eg, cat your firewall script, ie, if you knew
> where it was.

Run "iptables -L -n" and, as long as it isn't too long, send the results to
this mailing list, along with any relevant IP addresses.

-- 
FunkyJesus System Administration Team

Re: Iptables Problem on DNS Server

[Antony Stone]

On Saturday 22 June 2002 9:17 am, Joe de Vera Jr. wrote:

> From: Antony Stone <Antony@Soft-Solutions.co.uk>
>
> On Saturday 22 June 2002 6:29 am, Joe de Vera Jr. wrote:
> >
> > the scenario is this.. my DNS can't resolve when i activate the firewall
> > on this machine..
>
> What rules do you have ?
>
> Antony.

> how would i know if what kind of rules do i have?

1. What rules are being set in the firewall script you are running ?

2. What is the output of:

iptables -L -n -v
iptables -L -n -v -t nat
iptables -L -n -v -t mangle

> it just so happen that when i activate my firewall the DNS doesn't work..
> but when i deavtivate my firewall it turn back to normal operation...

That's why we need to know what rules you have in your firewall :-)

 

Antony.

Re: Iptables Problem on DNS Server

[Joe de Vera Jr.]

--__--__--
Message: 2
From: Antony Stone <Antony@Soft-Solutions.co.uk>
Organization: Software Solutions
To: <netfilter@lists.samba.org>
Subject: Re: Iptables Problem on DNS Server
Date: Sat, 22 Jun 2002 14:39:14 +0100

On Sunday 23 June 2002 5:36 am, Joe de Vera Jr. wrote:

> > On Sunday 23 June 2002 5:01 am, Joe de Vera Jr. wrote:
> > > here's my ruleset in my machine... seen anything wrong or lacking
here?
> > > just to remind you guys my problem is that.. when my firewall is
running
> > > my DNS don't work... thanks!
> >
> > Can we just clarify that last bit ?
> >
> > Do you mean that your firewall cannot resolve names by contacting an
> > external
> > DNS server, or that you are running DNS on your firewall, and other
> > machines cannot contact *it* as a DNS server ?
>
> yep,, i'm running DNS on that machine also.. an that exactly my client
> can't resolve from it.. so all the DNS record on that server can't
function
> due to this problem.. so i force not to run a firewall for a meantime...

Okay - the answer is simple, then.   You have no rule allowing udp packets
into the machine on port 53.



Antony.


oic... so now how will i going to add that udp packets allow to my ruleset?
what parameter that i supposed to put on my iptables command...

thanks in advance...

joe

Re: Iptables Problem on DNS Server

[Antony Stone]

On Sunday 23 June 2002 10:26 am, Joe de Vera wrote:

> > From: Antony Stone <Antony@Soft-Solutions.co.uk>
> >
> > Okay - the answer is simple, then.   You have no rule allowing udp packets
> > into the machine on port 53.

> oic... so now how will i going to add that udp packets allow to my ruleset?
> what parameter that i supposed to put on my iptables command...

In the middle of your listing earlier was:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:53 state 
NEW

which must be from a rule something like:

iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT

find that rule, copy it, and change the tcp for a udp:

iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

 

Antony.

Re: Iptables Problem on DNS Server

[Joe de Vera Jr.]

From: Antony Stone <Antony@Soft-Solutions.co.uk>
Organization: Software Solutions
To: <netfilter@lists.samba.org>
Subject: Re: Iptables Problem on DNS Server
Date: Sat, 22 Jun 2002 14:06:22 +0100

On Sunday 23 June 2002 5:01 am, Joe de Vera Jr. wrote:

> here's my ruleset in my machine... seen anything wrong or lacking here?
>
> just to remind you guys my problem is that.. when my firewall is running
my
> DNS don't work... thanks!

Can we just clarify that last bit ?

Do you mean that your firewall cannot resolve names by contacting an
external
DNS server, or that you are running DNS on your firewall, and other machines
cannot contact *it* as a DNS server ?



Antony.


yep,, i'm running DNS on that machine also.. an that exactly my client can't
resolve from it.. so all the DNS record on that server can't function due to
this problem.. so i force not to run a firewall for a meantime...


joe

Re: Iptables Problem on DNS Server

[Antony Stone]

On Sunday 23 June 2002 5:36 am, Joe de Vera Jr. wrote:

> > On Sunday 23 June 2002 5:01 am, Joe de Vera Jr. wrote:
> > > here's my ruleset in my machine... seen anything wrong or lacking here?
> > > just to remind you guys my problem is that.. when my firewall is running
> > > my DNS don't work... thanks!
> >
> > Can we just clarify that last bit ?
> >
> > Do you mean that your firewall cannot resolve names by contacting an
> > external
> > DNS server, or that you are running DNS on your firewall, and other
> > machines cannot contact *it* as a DNS server ?
>
> yep,, i'm running DNS on that machine also.. an that exactly my client
> can't resolve from it.. so all the DNS record on that server can't function
> due to this problem.. so i force not to run a firewall for a meantime...

Okay - the answer is simple, then.   You have no rule allowing udp packets 
into the machine on port 53.

 

Antony.

Re: Iptables Problem on DNS Server

[Joe de Vera Jr.]

here's my ruleset in my machine... seen anything wrong or lacking here?

just to remind you guys my problem is that.. when my firewall is running my
DNS don't work... thanks!

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED
ACCEPT     tcp  --  216.138.0.0/16       0.0.0.0/0          tcp dpt:21
ACCEPT     tcp  --  216.138.0.0/16       0.0.0.0/0          tcp dpt:22
ACCEPT     tcp  --  216.138.0.0/16       0.0.0.0/0          tcp dpt:110
ACCEPT     tcp  --  216.208.0.0/16       0.0.0.0/0          tcp dpt:21
ACCEPT     tcp  --  216.208.0.0/16       0.0.0.0/0          tcp dpt:22
ACCEPT     tcp  --  216.208.0.0/16       0.0.0.0/0          tcp dpt:110
ACCEPT     tcp  --  196.40.0.0/16        0.0.0.0/0          tcp dpt:21
ACCEPT     tcp  --  196.40.0.0/16        0.0.0.0/0          tcp dpt:22
ACCEPT     tcp  --  196.40.0.0/16        0.0.0.0/0          tcp dpt:110
ACCEPT     tcp  --  203.87.0.0/16        0.0.0.0/0          tcp dpt:21
ACCEPT     tcp  --  203.87.0.0/16        0.0.0.0/0          tcp dpt:22
ACCEPT     tcp  --  203.87.0.0/16        0.0.0.0/0          tcp dpt:110
ACCEPT     tcp  --  24.100.0.0/16        0.0.0.0/0          tcp dpt:21
ACCEPT     tcp  --  24.100.0.0/16        0.0.0.0/0          tcp dpt:22
ACCEPT     tcp  --  24.100.0.0/16        0.0.0.0/0          tcp dpt:110
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 state
NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 state
NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 state
NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state
NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:53 state
NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:3306
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:1127
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:2047
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:5012
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:6563
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:6564
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:7012
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:7017
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:7019
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:7021
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:8000
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:8007
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:8010
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:8080
state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:10000
state NEW
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          reject-with
tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          reject-with
icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Re: Iptables Problem on DNS Server

[Antony Stone]

On Sunday 23 June 2002 5:01 am, Joe de Vera Jr. wrote:

> here's my ruleset in my machine... seen anything wrong or lacking here?
>
> just to remind you guys my problem is that.. when my firewall is running my
> DNS don't work... thanks!

Can we just clarify that last bit ?

Do you mean that your firewall cannot resolve names by contacting an external 
DNS server, or that you are running DNS on your firewall, and other machines 
cannot contact *it* as a DNS server ?

 

Antony.

Iptables problem on DNS Server

[Joe de Vera Jr.]

hello...

I'm having problem on my linux box running named (BIND 9.2) when I also run
the iptables...

I'm using the latest version of iptables and a 2.4.12 version of kernel.

the scenario is this.. my DNS can't resolve when i activate the firewall on
this machine.. i'm running my iptables in default and with all the blocking
stuff .. for the sites.. and i also activate the commented code in the
named.conf {  query-source port 53; } .. what else do i forgot to do here so
that when i can run the DNS server with firewall on it... can some one show
me the door thru it.. thanks...

joe

Re: Iptables problem on DNS Server

[Antony Stone]

On Saturday 22 June 2002 6:29 am, Joe de Vera Jr. wrote:

> hello...
>
> the scenario is this.. my DNS can't resolve when i activate the firewall on
> this machine..

What rules do you have ?

 

Antony.

Re: Iptables problem on DNS Server

[Maciej Soltysiak]

> named.conf {  query-source port 53; } .. what else do i forgot to do here so
> that when i can run the DNS server with firewall on it... can some one show
> me the door thru it.. thanks...
In order to let a DNS work you have to:
- allow it to send packets to port 53 on UDP and TCP to other DNS servers.
- allow it to receive request on port 53 on UDP and TCP from hosts and
  others DNS servers.


Also, i recomend upgrading to 9.2.1 (9.2 contains a bug that allows
someone to down your named) and use ACLs in named.conf, to specify who
is allowed to request a zone transfer, normal request and who is not
allowed anything at all.

Regards,
Maciej Soltysiak