iptables and DNS

iptables and DNS

[Brian Ugie]

Hi,

  I am hoping that someone can explain the role that DNS has in
relation to iptables and if there is a way to stop iptables from
resolving. 

  I have a network where a netscreen firewall sits in front or our
servers. We map public IPs to the servers and do initial port filtering
from the netscreen. We also want to have each machine filter just in
case the windows box gets compromised ;). It has seemed to me that
iptables will not first use /etc/hosts to resolve but will go straight
to the DNS server. Is this a valid statement? nsswitch.conf lists file
first. Since DNS will resolve the server to a public address but it is
actually on a private address, iptables get confused and the net result
is long delays on ssh and ftp logins and server time outs on DNS
queries. 

  To test my theory I set the DNS record to the private ip and that
worked like a champ. I feel that I am left with only the option to
create views in bind.

  Has anyone else out there seen this or know of a better solution? 

Thanks in advance,

Brian

Re: iptables and DNS

[Ramin Alidousti]

On Tue, Jun 04, 2002 at 09:51:31AM -0700, Brian Ugie wrote:

> Hi,
> 
>   I am hoping that someone can explain the role that DNS has in
> relation to iptables and if there is a way to stop iptables from
> resolving. 
> 
>   I have a network where a netscreen firewall sits in front or our
> servers. We map public IPs to the servers and do initial port filtering
> from the netscreen. We also want to have each machine filter just in
> case the windows box gets compromised ;). It has seemed to me that
> iptables will not first use /etc/hosts to resolve but will go straight
> to the DNS server. Is this a valid statement?

No. gethostbyaddr would go through the preference list in nsswitch.conf.
This is part of a library and iptables uses it. #include <netdb.h>

> nsswitch.conf lists file
> first. Since DNS will resolve the server to a public address but it is
> actually on a private address, iptables get confused and the net result
> is long delays on ssh and ftp logins and server time outs on DNS
> queries. 

Do you have "hosts:  files dns" in your nsswitch.conf and have the
correct setup in /etc/hosts?

> 
>   To test my theory I set the DNS record to the private ip and that
> worked like a champ. I feel that I am left with only the option to
> create views in bind.
> 
>   Has anyone else out there seen this or know of a better solution? 

You can also provide "-n" to the iptables command to avoid names:

man iptables:
...
       -n, --numeric
              Numeric output.  IP addresses and port numbers will
              be printed in numeric format.  By default, the pro­
              gram  will  try to display them as host names, net­
              work names, or services (whenever applicable).
...

Ramin

> 
> Thanks in advance,
> 
> Brian

Re: iptables and DNS

[Brian Ugie]

Below  is the hosts portion of nsswitch.conf.  The actual hosts file is
below that. I have also included the simple config that I am using for
iptables. I have seen the -n option but it is not relevant for
appending, inserting or replacing. It only applies to listing (output)

--Brian

#hosts:     db files nisplus nis dns
hosts:      files dns

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               testbox localhost.localdomain localhost
10.1.1.13               ns2.pzs.com 

# Generated by iptables-save v1.2.3 on Tue Jun  4 10:33:01 2002
*filter
:INPUT DROP [14:722]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [129912:18396846]
-A INPUT -d 10.1.1.13 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Tue Jun  4 10:33:01 2002



>>> Ramin Alidousti <ramin@cannon.eng.us.uu.net> 06/04/02 10:28AM >>>
On Tue, Jun 04, 2002 at 09:51:31AM -0700, Brian Ugie wrote:

> Hi,
> 
>   I am hoping that someone can explain the role that DNS has in
> relation to iptables and if there is a way to stop iptables from
> resolving. 
> 
>   I have a network where a netscreen firewall sits in front or our
> servers. We map public IPs to the servers and do initial port
filtering
> from the netscreen. We also want to have each machine filter just in
> case the windows box gets compromised ;). It has seemed to me that
> iptables will not first use /etc/hosts to resolve but will go
straight
> to the DNS server. Is this a valid statement?

No. gethostbyaddr would go through the preference list in
nsswitch.conf.
This is part of a library and iptables uses it. #include <netdb.h>

> nsswitch.conf lists file
> first. Since DNS will resolve the server to a public address but it
is
> actually on a private address, iptables get confused and the net
result
> is long delays on ssh and ftp logins and server time outs on DNS
> queries. 

Do you have "hosts:  files dns" in your nsswitch.conf and have the
correct setup in /etc/hosts?

> 
>   To test my theory I set the DNS record to the private ip and that
> worked like a champ. I feel that I am left with only the option to
> create views in bind.
> 
>   Has anyone else out there seen this or know of a better solution? 

You can also provide "-n" to the iptables command to avoid names:

man iptables:
...
       -n, --numeric
              Numeric output.  IP addresses and port numbers will
              be printed in numeric format.  By default, the pro¡
              gram  will  try to display them as host names, net¡
              work names, or services (whenever applicable).
...

Ramin

> 
> Thanks in advance,
> 
> Brian

Re: iptables and DNS

[Nick Drage]

On Tue, Jun 04, 2002 at 10:41:58AM -0700, Brian Ugie wrote:
> Below  is the hosts portion of nsswitch.conf.  The actual hosts file is
> below that. I have also included the simple config that I am using for
> iptables. I have seen the -n option but it is not relevant for appending,
> inserting or replacing. It only applies to listing (output)

Er, unless I'm missing something, you're using hostnames in your IPTables
rules, and then complaining that IPTables is resolving those hostnames?

Excuse me if this sounds obvious, but why not use IP addresses in the rule
specifications.  If you're worried about having to alter all the relevant
rules if an IP address changes then just assign it to a variable...

#!/bin/sh -x

WEBSERVER="10.10.10.13"

iptables -A INPUT -p tcp -d $WEBSERVER --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d $WEBSERVER -j REJECT --reject-with tcp-reset

etc. 

<snip>

-- 
FunkyJesus System Administration Team

Re: iptables and DNS

[Ramin Alidousti]

On Tue, Jun 04, 2002 at 06:52:23PM +0100, Nick Drage wrote:

> On Tue, Jun 04, 2002 at 10:41:58AM -0700, Brian Ugie wrote:
> > Below  is the hosts portion of nsswitch.conf.  The actual hosts file is
> > below that. I have also included the simple config that I am using for
> > iptables. I have seen the -n option but it is not relevant for appending,
> > inserting or replacing. It only applies to listing (output)
> 
> Er, unless I'm missing something, you're using hostnames in your IPTables
> rules, and then complaining that IPTables is resolving those hostnames?

Good catch, Nick. I thought brain wanted to "-L" the iptables command
to check out the rules. In order to set the rules, follow the below guidline.

Ramin

> 
> Excuse me if this sounds obvious, but why not use IP addresses in the rule
> specifications.  If you're worried about having to alter all the relevant
> rules if an IP address changes then just assign it to a variable...
> 
> #!/bin/sh -x
> 
> WEBSERVER="10.10.10.13"
> 
> iptables -A INPUT -p tcp -d $WEBSERVER --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp -d $WEBSERVER -j REJECT --reject-with tcp-reset
> 
> etc. 
> 
> <snip>
> 
> -- 
> FunkyJesus System Administration Team
> 

Re: iptables and DNS

[Brian Ugie]

Actually iptables-save will resolve to ip when it saves regardless of
weather you created the chain with IPs or hostnames. I guess you would
never know which way I did it but I assure you that I am entering the
IPs when I create the chains.

  I feel that you are all missing what the problem is. Let me see if I
can explain it better.

The example server is NS2.pzs.com and has an ip address of 10.1.1.13

The DNS record for NS2.pzs.com is 66.126.189.37

A firewall appliance sits in front of the server and mapps the public
address to the private address. The firewall will only allow port 53
/udp/tcp traffic in. 

Now, this works fine with no iptable rules but once I add, say

iptables -A INPUT -d 10.1.1.13 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -d 10.1.1.13 -p udp --dport 53 -j ACCEPT
iptables -P INPUT  DROP

DNS will nolonger respond on NS2. But if I go into NS1 and change the
NS2 record so that is resolves to 10.1.1.13, the above rules will work.

--Brian

>>> Ramin Alidousti <ramin@cannon.eng.us.uu.net> 06/04/02 11:09AM >>>
On Tue, Jun 04, 2002 at 06:52:23PM +0100, Nick Drage wrote:

> On Tue, Jun 04, 2002 at 10:41:58AM -0700, Brian Ugie wrote:
> > Below  is the hosts portion of nsswitch.conf.  The actual hosts
file is
> > below that. I have also included the simple config that I am using
for
> > iptables. I have seen the -n option but it is not relevant for
appending,
> > inserting or replacing. It only applies to listing (output)
> 
> Er, unless I'm missing something, you're using hostnames in your
IPTables
> rules, and then complaining that IPTables is resolving those
hostnames?

Good catch, Nick. I thought brain wanted to "-L" the iptables command
to check out the rules. In order to set the rules, follow the below
guidline.

Ramin

> 
> Excuse me if this sounds obvious, but why not use IP addresses in the
rule
> specifications.  If you're worried about having to alter all the
relevant
> rules if an IP address changes then just assign it to a variable...
> 
> #!/bin/sh -x
> 
> WEBSERVER="10.10.10.13"
> 
> iptables -A INPUT -p tcp -d $WEBSERVER --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp -d $WEBSERVER -j REJECT --reject-with
tcp-reset
> 
> etc. 
> 
> <snip>
> 
> -- 
> FunkyJesus System Administration Team
> 

Re: iptables and DNS

[Ramin Alidousti]

On Tue, Jun 04, 2002 at 11:35:39AM -0700, Brian Ugie wrote:

> Actually iptables-save will resolve to ip when it saves regardless of
> weather you created the chain with IPs or hostnames. I guess you would
> never know which way I did it but I assure you that I am entering the
> IPs when I create the chains.
> 
>   I feel that you are all missing what the problem is. Let me see if I
> can explain it better.
> 
> The example server is NS2.pzs.com and has an ip address of 10.1.1.13
> 
> The DNS record for NS2.pzs.com is 66.126.189.37
> 
> A firewall appliance sits in front of the server and mapps the public
> address to the private address. The firewall will only allow port 53
> /udp/tcp traffic in. 
> 
> Now, this works fine with no iptable rules but once I add, say
> 
> iptables -A INPUT -d 10.1.1.13 -p tcp --dport 53 -j ACCEPT
> iptables -A INPUT -d 10.1.1.13 -p udp --dport 53 -j ACCEPT
> iptables -P INPUT  DROP

Is NS2 the same as the firewall? In other words, the rule above
says: dns packets destined for 10.1.1.13 are allowed to enter
the firewall host. Is this what you want?

> DNS will nolonger respond on NS2. But if I go into NS1 and change the

What is NS1? What is your network topology?

> NS2 record so that is resolves to 10.1.1.13, the above rules will work.

I believe that you need to revisit your rule set. But a general "iptables"
rule is that when you're writing rules, do not use dns/host names for the
"-d" and "-s" switches.

Ramin

> --Brian

Re: iptables and DNS

[Antony Stone]

Hi.


I'm not sure if I've got the gist of this thread correctly, but I thought it 
might be useful to point out the following, which may not be obvious:

If you create netfilter rules using hostnames, they get resolved once and 
once only at the time the rule is entered (ie when you type it in, or when it 
gets executed in a startup script), and from that point onwards, netfilter 
internally uses the numeric value in the ruleset.

If you create netfilter rules using IP addresses, then of course it's clear 
that these are the addresses being used in the rules, but internally 
everything is just the same.

Do not think that netfilter is going to do a series of DNS lookups every time 
a packet comes through and gets matched against a ruleset which you specified 
using hostnames !

Hope that helps ?



Antony.