RE: bind 9 and iptables

RE: bind 9 and iptables

[Jason Opperisano]

> Hi All
>
> I have a dns with a forwarder to my isp on the iptables
> box. I am having trouble on getting dns to work properly.
>
> When i comment:
>
> iptables -P INPUT DROP
> iptables -p OUTPUT DROP
>
> DNS will work fine and all the pc's can browse the net.
>
> I have tried the following with out any luck:
>
> iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> what rule do i need to add to make things more secure to
> get my dns working properly, thanks?

# allow internal machines to contact the DNS server
iptables -A INPUT -p udp -i $INSIDE_IF -s $INSIDE_NET -d $INSIDE_IP --dport 53 -j ACCEPT

# allow established an related packets out
iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

normally the "established" rule appears first in your chains, if you are using connection tracking.

-j

Re: bind 9 and iptables

[it clown]

Hi

Thanks this seemed to have done the trick.I had to add
another rule for tcp aswell. Is it possible for these rules
to slow my browsing abit? Because it seems asif my browsing
is abit slower now since i used the rules?

Regards

On Fri, 27 Aug 2004 16:16:41 -0400
 "Jason Opperisano" <Jopperisano@alphanumeric.com> wrote:
> > Hi All
> >
> > I have a dns with a forwarder to my isp on the iptables
> > box. I am having trouble on getting dns to work
> properly.
> >
> > When i comment:
> >
> > iptables -P INPUT DROP
> > iptables -p OUTPUT DROP
> >
> > DNS will work fine and all the pc's can browse the net.
> >
> > I have tried the following with out any luck:
> >
> > iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> > iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED
> -j
> > ACCEPT
> >
> > what rule do i need to add to make things more secure
> to
> > get my dns working properly, thanks?
> 
> # allow internal machines to contact the DNS server
> iptables -A INPUT -p udp -i $INSIDE_IF -s $INSIDE_NET -d
> $INSIDE_IP --dport 53 -j ACCEPT
> 
> # allow established an related packets out
> iptables -I OUTPUT -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> 
> normally the "established" rule appears first in your
> chains, if you are using connection tracking.
> 
> -j
> 

_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

RE: bind 9 and iptables

[Jason Opperisano]

> El sáb, 28 de 08 de 2004 a las 02:47, Nick Drage escribió:
> > On Fri, Aug 27, 2004 at 05:19:07PM -0400, Jason Opperisano wrote:
> >
> > > long answer:  it has been discussed on this list previously that
> > > connection tracking DNS queries/responses on or for a busy DNS server
> > > (i think the number was ~ 200 queries/second) will slow the name
> > > resolution process down.  the reason being that the state creation
> > > adds noticeable, unnecessary latency, as most (all?) queries are one
> > > packet request--one packet response.
> >
> > I've a vague recollection of being able to specify that a rule won't
> > create an entry in the state table, so for situations like this
> > netfilter can act faster, as long as you specify the correct rules for
> > connections both ways.  However I can't find anything in the
> > documentation about this... after a cursory look... can anyone refresh
> > my memory?
>
> I think that even if you don't use the conntrack feature for the DNS
> port you will have state table entries anyway, because the state
> machine will check every connection you made. The only solution would
> be to unload the conntrack module and not using conntrack at all, but
> that it's probably a mess, because you would have to change all the
> rules to specify both directions of traffic, like in the old ipchains
> days.

or use the raw table NOTRACK patch like someone else suggested (and i should have included in my initial rambling).

-j

RE: bind 9 and iptables

[Daniel Chemko]

> somewhere along the line, you lost:
> 
>   iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

And if that doesn't work, add the following to the end of your rules:

iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG

RE: bind 9 and iptables

[Jason Opperisano]

> Hi Again,
>
> Damn it still not working why i said it was working was was
> because of cached ip's as soon as i tried to access a site
> that hasn't been cached it would give me a unknown host
> error.
>
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> iptables -A INPUT -p udp -i eth0 -s 192.168.0/24 -d
> 192.168.0.1 --dport 53 -j ACCEPT
> iptables -A INPUT -p tcp -i eth0 -s 192.168.0/24 -d
> 192.168.0.1 --dport 53 -j ACCEPT
> iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> iptables -I INPUT -i lo -j ACCEPT
> iptables -I OUTPUT -o lo -j ACCEPT
>
> iptables -A FORWARD -i eth0 -o ppp0 -p tcp -j ACCEPT
> iptables -A FORWARD -i eth0 -o ppp0 -p udp -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> Thats my rules im trying to get dns to work atm.
>
> When i comment these out everything works fine:
>
> #iptables -P INPUT DROP
> #iptables -P OUTPUT DROP

somewhere along the line, you lost:

  iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-j

ps - in the future, it's easier to help if you provide the output of:
     iptables -vnL && iptables -t nat -vnL && iptables -t mangle -vnL

Re: bind 9 and iptables

[it clown]

Hi

It seems i got it working.

iptables -A OUTPUT -p tcp -o ppp0 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o ppp0 --dport 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

Thanks for all the help and not fading away.

Regards


On Fri, 27 Aug 2004 19:34:26 -0400
 "Jason Opperisano" <Jopperisano@alphanumeric.com> wrote:
> > Hi Again,
> >
> > Damn it still not working why i said it was working was
> was
> > because of cached ip's as soon as i tried to access a
> site
> > that hasn't been cached it would give me a unknown host
> > error.
> >
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> >
> > iptables -A INPUT -p udp -i eth0 -s 192.168.0/24 -d
> > 192.168.0.1 --dport 53 -j ACCEPT
> > iptables -A INPUT -p tcp -i eth0 -s 192.168.0/24 -d
> > 192.168.0.1 --dport 53 -j ACCEPT
> > iptables -I OUTPUT -m state --state ESTABLISHED,RELATED
> -j
> > ACCEPT
> >
> > iptables -I INPUT -i lo -j ACCEPT
> > iptables -I OUTPUT -o lo -j ACCEPT
> >
> > iptables -A FORWARD -i eth0 -o ppp0 -p tcp -j ACCEPT
> > iptables -A FORWARD -i eth0 -o ppp0 -p udp -j ACCEPT
> > iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED -j
> > ACCEPT
> >
> > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> >
> > Thats my rules im trying to get dns to work atm.
> >
> > When i comment these out everything works fine:
> >
> > #iptables -P INPUT DROP
> > #iptables -P OUTPUT DROP
> 
> somewhere along the line, you lost:
> 
>   iptables -I INPUT -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> 
> -j
> 
> ps - in the future, it's easier to help if you provide
> the output of:
>      iptables -vnL && iptables -t nat -vnL && iptables -t
> mangle -vnL

_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

Re: bind 9 and iptables

[it clown]

Hi Again,

Damn it still not working why i said it was working was was
because of cached ip's as soon as i tried to access a site
that hasn't been cached it would give me a unknown host
error.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p udp -i eth0 -s 192.168.0/24 -d
192.168.0.1 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 192.168.0/24 -d
192.168.0.1 --dport 53 -j ACCEPT
iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT

iptables -A FORWARD -i eth0 -o ppp0 -p tcp -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p udp -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Thats my rules im trying to get dns to work atm.

When i comment these out everything works fine:

#iptables -P INPUT DROP
#iptables -P OUTPUT DROP


On Fri, 27 Aug 2004 17:19:07 -0400
 "Jason Opperisano" <Jopperisano@alphanumeric.com> wrote:
> > Hi
> >
> > Thanks this seemed to have done the trick.I had to add
> > another rule for tcp aswell. Is it possible for these
> rules
> > to slow my browsing abit? Because it seems asif my
> browsing
> > is abit slower now since i used the rules?
> 
> quick answer:  no.
> 
> long answer:  it has been discussed on this list
> previously that connection tracking DNS queries/responses
> on or for a busy DNS server (i think the number was ~ 200
> queries/second) will slow the name resolution process
> down.  the reason being that the state creation adds
> noticeable, unnecessary latency, as most (all?) queries
> are one packet request--one packet response.
> 
> somehow i don't think this applies here.
> 
> oh--and i'll chime in with the obligatory:  don't run a
> DNS (or any other) server on your firewall.
> 
> -j
> 

_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

Re: bind 9 and iptables

[Nick Drage]

On Fri, Aug 27, 2004 at 05:19:07PM -0400, Jason Opperisano wrote:

> long answer:  it has been discussed on this list previously that
> connection tracking DNS queries/responses on or for a busy DNS server
> (i think the number was ~ 200 queries/second) will slow the name
> resolution process down.  the reason being that the state creation
> adds noticeable, unnecessary latency, as most (all?) queries are one
> packet request--one packet response.

I've a vague recollection of being able to specify that a rule won't
create an entry in the state table, so for situations like this
netfilter can act faster, as long as you specify the correct rules for
connections both ways.  However I can't find anything in the
documentation about this... after a cursory look... can anyone refresh
my memory?

-- 
mors omnia vincit

Re: bind 9 and iptables

[Jose Maria Lopez]

El sáb, 28 de 08 de 2004 a las 02:47, Nick Drage escribió:
> On Fri, Aug 27, 2004 at 05:19:07PM -0400, Jason Opperisano wrote:
> 
> > long answer:  it has been discussed on this list previously that
> > connection tracking DNS queries/responses on or for a busy DNS server
> > (i think the number was ~ 200 queries/second) will slow the name
> > resolution process down.  the reason being that the state creation
> > adds noticeable, unnecessary latency, as most (all?) queries are one
> > packet request--one packet response.
> 
> I've a vague recollection of being able to specify that a rule won't
> create an entry in the state table, so for situations like this
> netfilter can act faster, as long as you specify the correct rules for
> connections both ways.  However I can't find anything in the
> documentation about this... after a cursory look... can anyone refresh
> my memory?

I think that even if you don't use the conntrack feature for the DNS
port you will have state table entries anyway, because the state
machine will check every connection you made. The only solution would
be to unload the conntrack module and not using conntrack at all, but
that it's probably a mess, because you would have to change all the
rules to specify both directions of traffic, like in the old ipchains
days.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: bind 9 and iptables

[dchemko]

Nick Drage wrote:

>On Fri, Aug 27, 2004 at 05:19:07PM -0400, Jason Opperisano wrote:
>
>  
>
>>long answer:  it has been discussed on this list previously that
>>connection tracking DNS queries/responses on or for a busy DNS server
>>(i think the number was ~ 200 queries/second) will slow the name
>>resolution process down.  the reason being that the state creation
>>adds noticeable, unnecessary latency, as most (all?) queries are one
>>packet request--one packet response.
>>    
>>
>
>I've a vague recollection of being able to specify that a rule won't
>create an entry in the state table, so for situations like this
>netfilter can act faster, as long as you specify the correct rules for
>connections both ways.  However I can't find anything in the
>documentation about this... after a cursory look... can anyone refresh
>my memory?
>
>  
>
iptables -t raw -A PREROUTING -p udp --dport 53 -j NOTRACK
iptables -t raw -A PREROUTING -p udp --sport 53 -j NOTRACK
# Not sure about if you can turn it off from internally sourced (OUTPUT 
chain packets)
iptables -t raw -A OUTPUT -p udp --dport 53 -j NOTRACK
iptables -t raw -A OUTPUT -p udp --sport 53 -j NOTRACK

CONFIG_IP_NF_RAW
  This option adds a `raw' table to iptables. This table is the very
  first in the netfilter framework and hooks in at the PREROUTING
  and OUTPUT chains.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

NOTRACK target support
CONFIG_IP_NF_TARGET_NOTRACK
  The NOTRACK target allows a select rule to specify
  which packets *not* to enter the conntrack/NAT
  subsystem with all the consequences (no ICMP error tracking,
  no protocol helpers for the selected packets).

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

RE: bind 9 and iptables

[Jason Opperisano]

> Hi
>
> Thanks this seemed to have done the trick.I had to add
> another rule for tcp aswell. Is it possible for these rules
> to slow my browsing abit? Because it seems asif my browsing
> is abit slower now since i used the rules?

quick answer:  no.

long answer:  it has been discussed on this list previously that connection tracking DNS queries/responses on or for a busy DNS server (i think the number was ~ 200 queries/second) will slow the name resolution process down.  the reason being that the state creation adds noticeable, unnecessary latency, as most (all?) queries are one packet request--one packet response.

somehow i don't think this applies here.

oh--and i'll chime in with the obligatory:  don't run a DNS (or any other) server on your firewall.

-j

RE: bind 9 and iptables

[Jason Opperisano]

> OK i will try again.
>
> I have a internal dns server with a forwarder to my isp.The
> internal dns server is on the iptables box.The clients use
> the internal dns server to resolve names on the local
> network.When the internal dns cannot resolve a name it
> forwards to my isp's dns.
>
> So my problem is with the forwarding.To get that to work i
> have to uncomment:

from an iptables persepctive--you're problem is with the INPUT, not the FORWARD-ing

> iptables -P INPUT DROP and iptables -P OUTPUT DROP.
>
> When i uncomment those two rules the clients can browse the
> internet.
>
> what rules can i use instead of uncommenting those two
> rules because thats not secure?

you need to allow your internal hosts to contact the dns server/firewall on UDP port 53.

see previous post by me, and a much more thorough one by Aleksandar Milivojevic.

-j

bind 9 and iptables

[it clown]

Hi All

I have a dns with a forwarder to my isp on the iptables
box. I am having trouble on getting dns to work properly.

When i comment:

iptables -P INPUT DROP
iptables -p OUTPUT DROP

DNS will work fine and all the pc's can browse the net.

I have tried the following with out any luck:

iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

what rule do i need to add to make things more secure to
get my dns working properly, thanks?

Regards


_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

Re: bind 9 and iptables

[Nick Taylor]

Your question isn't really specific enough to be sure what's going on, but
I'm assuming that on your firewall box, the rules you present allow DNS
queries to work, but that on clients behind the firewall, DNS still fails,
and furthermore that you have the clients set up to use a DNS server on
the outside of your firewall.  If this is the case, try:

iptables -A FORWARD ...

Remember, the input and output chains are only for traffic with a LOCAL
source or destination (same computer as firewall), whereas forward is for
traffic that goes through the firewall computer.


 On Fri, 27 Aug 2004, it clown wrote:

> Date: Fri, 27 Aug 2004 22:06:00 +0200
> From: it clown <suse@mailbox.co.za>
> To: netfilter@lists.netfilter.org
> Subject: bind 9 and iptables
>
> Hi All
>
> I have a dns with a forwarder to my isp on the iptables
> box. I am having trouble on getting dns to work properly.
>
> When i comment:
>
> iptables -P INPUT DROP
> iptables -p OUTPUT DROP
>
> DNS will work fine and all the pc's can browse the net.
>
> I have tried the following with out any luck:
>
> iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> what rule do i need to add to make things more secure to
> get my dns working properly, thanks?
>
> Regards
>
>
> _____________________________________________________________________
> For super low premiums ,click here http://www.dialdirect.co.za/quote
>

Re: bind 9 and iptables

[it clown]

OK i will try again.

I have a internal dns server with a forwarder to my isp.The
internal dns server is on the iptables box.The clients use
the internal dns server to resolve names on the local
network.When the internal dns cannot resolve a name it
forwards to my isp's dns. 

So my problem is with the forwarding.To get that to work i
have to uncomment:

iptables -P INPUT DROP and iptables -P OUTPUT DROP.

When i uncomment those two rules the clients can browse the
internet.

what rules can i use instead of uncommenting those two
rules because thats not secure?

I hope this makes more sense, thanks.

Regards

On Fri, 27 Aug 2004 16:19:59 -0400 (EDT)
 Nick Taylor <nickt@lightlink.com> wrote:
> Your question isn't really specific enough to be sure
> what's going on, but
> I'm assuming that on your firewall box, the rules you
> present allow DNS
> queries to work, but that on clients behind the firewall,
> DNS still fails,
> and furthermore that you have the clients set up to use a
> DNS server on
> the outside of your firewall.  If this is the case, try:
> 
> iptables -A FORWARD ...
> 
> Remember, the input and output chains are only for
> traffic with a LOCAL
> source or destination (same computer as firewall),
> whereas forward is for
> traffic that goes through the firewall computer.
> 
> 
>  On Fri, 27 Aug 2004, it clown wrote:
> 
> > Date: Fri, 27 Aug 2004 22:06:00 +0200
> > From: it clown <suse@mailbox.co.za>
> > To: netfilter@lists.netfilter.org
> > Subject: bind 9 and iptables
> >
> > Hi All
> >
> > I have a dns with a forwarder to my isp on the iptables
> > box. I am having trouble on getting dns to work
> properly.
> >
> > When i comment:
> >
> > iptables -P INPUT DROP
> > iptables -p OUTPUT DROP
> >
> > DNS will work fine and all the pc's can browse the net.
> >
> > I have tried the following with out any luck:
> >
> > iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> > iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED
> -j
> > ACCEPT
> >
> > what rule do i need to add to make things more secure
> to
> > get my dns working properly, thanks?
> >
> > Regards
> >
> >
> >
>
_____________________________________________________________________
> > For super low premiums ,click here
> http://www.dialdirect.co.za/quote
> >

_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

Re: bind 9 and iptables

[Nick Taylor]

Okay.  Now I will assume that "forwarding" means satisfying a DNS query
recursively, ie the firwall box will generate a NEW query (with the same
request in it), and a conversation will start between the firewall and the
DNS server at your ISP.  When the answer comes back, it will be cached,
and a reply will be formed to the client.  In this case, the client talks
directly to the firewall, NOT the ISP's DNS server...

So, you want:

iptables -A INPUT ...

in order to allow the clients to connect to your machine.  A few other
people have suggested specific rules to accomplish this, but in the
simplest form,

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
is what you're missing.

Please note that this rule isn't specific enough, but there may be reasons
why your site would chose to implement a more specific rule differently
than I would.  I would constrain the DNS service to packets entering the
firewall on the "lan" side, and to source addresses within the network I
was expecting them from, like this:

iptables -A INPUT -p tcp --dport 53 -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -i eth0 -s 192.168.1.0/24 -j ACCEPT


I didn't see any -A INPUT -j ACCEPT rules at all in your sample code.
If there were some that don't seem to be matching, and they just didn't
get forwarded to the list, please post these so we can figure out why
they're not matching as intended.

On Fri, 27 Aug 2004, it clown wrote:

> Date: Fri, 27 Aug 2004 22:53:10 +0200
> From: it clown <suse@mailbox.co.za>
> To: netfilter@lists.netfilter.org
> Subject: Re: bind 9 and iptables
>
> OK i will try again.
>
> I have a internal dns server with a forwarder to my isp.The
> internal dns server is on the iptables box.The clients use
> the internal dns server to resolve names on the local
> network.When the internal dns cannot resolve a name it
> forwards to my isp's dns.
>
> So my problem is with the forwarding.To get that to work i
> have to uncomment:
>
> iptables -P INPUT DROP and iptables -P OUTPUT DROP.
>
> When i uncomment those two rules the clients can browse the
> internet.
>
> what rules can i use instead of uncommenting those two
> rules because thats not secure?
>
> I hope this makes more sense, thanks.
>
> Regards
>
> On Fri, 27 Aug 2004 16:19:59 -0400 (EDT)
>  Nick Taylor <nickt@lightlink.com> wrote:
> > Your question isn't really specific enough to be sure
> > what's going on, but
> > I'm assuming that on your firewall box, the rules you
> > present allow DNS
> > queries to work, but that on clients behind the firewall,
> > DNS still fails,
> > and furthermore that you have the clients set up to use a
> > DNS server on
> > the outside of your firewall.  If this is the case, try:
> >
> > iptables -A FORWARD ...
> >
> > Remember, the input and output chains are only for
> > traffic with a LOCAL
> > source or destination (same computer as firewall),
> > whereas forward is for
> > traffic that goes through the firewall computer.
> >
> >
> >  On Fri, 27 Aug 2004, it clown wrote:
> >
> > > Date: Fri, 27 Aug 2004 22:06:00 +0200
> > > From: it clown <suse@mailbox.co.za>
> > > To: netfilter@lists.netfilter.org
> > > Subject: bind 9 and iptables
> > >
> > > Hi All
> > >
> > > I have a dns with a forwarder to my isp on the iptables
> > > box. I am having trouble on getting dns to work
> > properly.
> > >
> > > When i comment:
> > >
> > > iptables -P INPUT DROP
> > > iptables -p OUTPUT DROP
> > >
> > > DNS will work fine and all the pc's can browse the net.
> > >
> > > I have tried the following with out any luck:
> > >
> > > iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> > > iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> > > iptables -A INPUT -m state --state ESTABLISHED,RELATED
> > -j
> > > ACCEPT
> > >
> > > what rule do i need to add to make things more secure
> > to
> > > get my dns working properly, thanks?
> > >
> > > Regards
> > >
> > >
> > >
> >
> _____________________________________________________________________
> > > For super low premiums ,click here
> > http://www.dialdirect.co.za/quote
> > >
>
> _____________________________________________________________________
> For super low premiums ,click here http://www.dialdirect.co.za/quote
>

Re: bind 9 and iptables

[Aleksandar Milivojevic]

it clown wrote:
> Hi All
> 
> I have a dns with a forwarder to my isp on the iptables
> box. I am having trouble on getting dns to work properly.

[snip]

> I have tried the following with out any luck:
> 
> iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> 
> what rule do i need to add to make things more secure to
> get my dns working properly, thanks?

By the above rules, you are not allowing your clients to connect to your 
DNS server (you are only allowing DNS server to send queris outside). 
What you need is:

iptables -A INPUT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -m state --state RELATED

iptables -A INPUT -i int_if -p udp --sport 1024: --dport 53 \
    -m state --state NEW -j ACCEPT
iptables -A INPUT -i int_if -p tcp --sport 1024: --dport 53 \
    -m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED
iptables -A OUTPUT -p icmp --m state --state RELATED

iptables -A OUTPUT -o ext_if -p udp --sport 1024: --dport 53 \
    -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o ext_if -p tcp --sport 1024: --dport 53 \
    -m state --state NEW -j ACCEPT

Replace int_if and ext_if with internal and external interface names 
(eth0, eth1, ppp0, or whatever else you have).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: bind 9 and iptables

[Nick Drage]

On Fri, Aug 27, 2004 at 03:37:07PM -0500, Aleksandar Milivojevic wrote:

<snip>

> By the above rules, you are not allowing your clients to connect to your 
> DNS server (you are only allowing DNS server to send queris outside). 
> What you need is:
> 
> iptables -A INPUT -m state --state ESTABLISHED
> iptables -A INPUT -p icmp -m state --state RELATED
> 
> iptables -A INPUT -i int_if -p udp --sport 1024: --dport 53 \
>    -m state --state NEW -j ACCEPT
> iptables -A INPUT -i int_if -p tcp --sport 1024: --dport 53 \
>    -m state --state NEW -j ACCEPT

Out of interest, why only permit packets with a source port of 1024 and
above?  This rule might not pass DNS requests if they come from a local
DNS server being used internally, if it's set up with a "query-source"
of port 53.  Also the use of source ports is OS dependant, so if you're
going to watch this why not pick the range the OS uses?  The range of
your Linux system can be found via

cat /proc/sys/net/ipv4/ip_local_port_range

or

sysctl net.ipv4.ip_local_port_range

Apologies if I'm being pedantic, just wondering if I've missed
something...

-- 
mors omnia vincit

Re: bind 9 and iptables

[Aleksandar Milivojevic]

Quoting Nick Drage <nickd@metastasis.org.uk>
Date: Sat, 28 Aug 2004 01:44:36

> Out of interest, why only permit packets with a source port of 1024 and
> above?  This rule might not pass DNS requests if they come from a local
> DNS server being used internally, if it's set up with a "query-source"
> of port 53.  Also the use of source ports is OS dependant, so if you're
> going to watch this why not pick the range the OS uses?  The range of
> your Linux system can be found via

Good question...  Probably just a habit ;-)  Safe to use restriction without
having to worry about OS specifics.  As for query-source, options in BIND 9 for
forcing sport to 53 are there mainly as workarounds for people that have to live
with old firewall configurations and old assumptions.  Something that most new
installations really don't need.  I wouldn't be suprised at all to see those
options go away one day in future.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7