RE: Problems with DNS

RE: Problems with DNS

[Cedric Blancher]

Le sam 06/09/2003 à 12:53, Владимир Потапов a écrit :
> And which chain a need yo add to ruleset?

Just rewrite your ruleset as follow :

# nat table
-A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p tcp -j DNAT \
		--to-destination 192.168.5.2
-A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p udp -j DNAT \
		--to-destination 192.168.5.2
-A POSTROUTING -t nat -o eth0 -j SNAT --to-source 121.1.1.1

# filter table
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \
		--state NEW -p tcp -m tcp --dport 53 --syn -j ACCEPT
-A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \
		--state NEW -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \
		--state NEW -p tcp -m tcp --dport 53 --syn -j allow
-A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \
		--state NEW -p udp -m udp --dport 53 -j ACCEPT

It should provide the same filtering functionnalities you wanted, plus
returning packets accept through ESTABLISHED,RELATED rule. If you really
want to restrict it to TCP and UDP only, just replace this rule with two
more specific ones :

-A FORWARD -m state --state ESTABLISHED,RELATED -p udp -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT

I removed rules that seems redundant, in particular your TCP flags check
rule that was replaced with --syn switch addition. I also restricted
inbound DNS filtering to 192.168.5.2 only.

Hope this helps.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re[2]: Problems with DNS

["Vladimir Potapov"]

I cannot add this rules with --syn, because iptables tell me error : bad argument '--syn'.
If write this rules without --syn argument , the iptables rules applying success.If I write rules with chain NEW but without --syn argument , are the my packet filter will be accept(or forward) new packet without --syn ?


> Le sam 06/09/2003 ? 12:53, Владимир Потапов a ?crit :
> > And which chain a need yo add to ruleset?
> 
> Just rewrite your ruleset as follow :
> 
> # nat table
> -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p tcp -j DNAT \
> 		--to-destination 192.168.5.2
> -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p udp -j DNAT \
> 		--to-destination 192.168.5.2
> -A POSTROUTING -t nat -o eth0 -j SNAT --to-source 121.1.1.1
> 
> # filter table
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \
> 		--state NEW -p tcp -m tcp --dport 53 --syn -j ACCEPT
> -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \
> 		--state NEW -p udp -m udp --dport 53 -j ACCEPT
> -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \
> 		--state NEW -p tcp -m tcp --dport 53 --syn -j allow
> -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \
> 		--state NEW -p udp -m udp --dport 53 -j ACCEPT
> 
> It should provide the same filtering functionnalities you wanted, plus
> returning packets accept through ESTABLISHED,RELATED rule. If you really
> want to restrict it to TCP and UDP only, just replace this rule with two
> more specific ones :
> 
> -A FORWARD -m state --state ESTABLISHED,RELATED -p udp -j ACCEPT
> -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT
> 
> I removed rules that seems redundant, in particular your TCP flags check
> rule that was replaced with --syn switch addition. I also restricted
> inbound DNS filtering to 192.168.5.2 only.
> 
> Hope this helps.
> 
> -- 
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> 
> 

Re: Re[2]: Problems with DNS

[Cedric Blancher]

Le lun 08/09/2003 à 14:51, =?koi8-r?Q?=22?=Vladimir
Potapov=?koi8-r?Q?=22=20?= a écrit :
> I cannot add this rules with --syn, because iptables tell me error :
> bad argument '--syn'.

Strange...

root@elendil:~# iptables --version
iptables v1.2.8
root@elendil:~# iptables -A FORWARD -d 192.168.5.2/255.255.255.255 -i
eth0 -o eth1 -m state --state NEW -p tcp -m tcp --dport 53 --syn -j
ACCEPT
root@elendil:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.5.2        state NEW
tcp dpt:domain flags:SYN,RST,ACK/SYN

Are you sure you specify TCP protocol with --syn, for --syn is only
valid for TCP. If you specify another protocol, or no protocol at all,
you'll get an error :

root@elendil:~# iptables -A FORWARD -d 192.168.5.2/255.255.255.255 -i
eth0 -o eth1 -m state --state NEW --syn -j ACCEPT
iptables v1.2.8: Unknown arg `--syn'
Try `iptables -h' or 'iptables --help' for more information.

> If write this rules without --syn argument , the iptables rules
> applying success.If I write rules with chain NEW but without --syn
> argument , are the my packet filter will be accept(or forward) new
> packet without --syn ?

If you don't specify --syn, both SYN and non SYN packets with state NEW
will be accepted.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: Re[2]: Problems with DNS

[Vladimir Potapov]

I edit the /etc/sysconfig/iptables and iptables give my error.
Now I add rules from console and they applying ok.
Thank you.


-----Original Message-----
From: Cedric Blancher [mailto:blancher@cartel-securite.fr]
Sent: Monday, September 08, 2003 5:45 PM
To: Vladimir Potapov
Cc: netfilter@lists.netfilter.org
Subject: Re: Re[2]: Problems with DNS


Le lun 08/09/2003 à 14:51, =?koi8-r?Q?=22?=Vladimir
Potapov=?koi8-r?Q?=22=20?= a écrit :
> I cannot add this rules with --syn, because iptables tell me error :
> bad argument '--syn'.

Strange...

root@elendil:~# iptables --version
iptables v1.2.8
root@elendil:~# iptables -A FORWARD -d 192.168.5.2/255.255.255.255 -i
eth0 -o eth1 -m state --state NEW -p tcp -m tcp --dport 53 --syn -j
ACCEPT
root@elendil:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.5.2        state NEW
tcp dpt:domain flags:SYN,RST,ACK/SYN

Are you sure you specify TCP protocol with --syn, for --syn is only
valid for TCP. If you specify another protocol, or no protocol at all,
you'll get an error :

root@elendil:~# iptables -A FORWARD -d 192.168.5.2/255.255.255.255 -i
eth0 -o eth1 -m state --state NEW --syn -j ACCEPT
iptables v1.2.8: Unknown arg `--syn'
Try `iptables -h' or 'iptables --help' for more information.

> If write this rules without --syn argument , the iptables rules
> applying success.If I write rules with chain NEW but without --syn
> argument , are the my packet filter will be accept(or forward) new
> packet without --syn ?

If you don't specify --syn, both SYN and non SYN packets with state NEW
will be accepted.

--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

iptables ceases to work after night

["Vladimir Potapov"]

Yesterday at evening my packet filter with iptables worked fine.Today at morning , I see that he don't forwarding packet from DMZ to local and back.And this thing I see every morning.After I reboot my machine it's work fine.I think that my 3com cards have some bugs.In log there no entries about this . My rules is:


#Allow from local to DMZ and back


-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth1 -o eth2 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A FORWARD -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

Re: iptables ceases to work after night

[Pascal Vilarem]

what does iptables-save returns on the morning ?

is it different from what it returns when forwarding is ok ?

if you find differences... there is something to find that alter 
netfilter config
(a firewall script ? something like an iptables-restore script ?)

if you don't find differences :

check to see if resetting netfiler and giving again the config is enough...
if yes... i'd suggest to update netfilter an perhaps the kernel...

stop netfilter and check if something can go through your netcard...
if no... i'd suggest to check the driver of the netcard... and perhaps 
the netcard itself.

hope this can help,
Pascal


Vladimir Potapov wrote:

>Yesterday at evening my packet filter with iptables worked fine.Today at morning , I see that he don't forwarding packet from DMZ to local and back.And this thing I see every morning.After I reboot my machine it's work fine.I think that my 3com cards have some bugs.In log there no entries about this . My rules is:
>
>
>#Allow from local to DMZ and back
>
>
>-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth1 -o eth2 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
>
>-A FORWARD -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
>
>-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
>
>-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
>
>-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
>
>
>
>  
>

Re: iptables ceases to work after night

[Pascal Vilarem]

what does iptables-save returns on the morning ?

is it different from what it returns when forwarding is ok ?

if you find differences... there is something to find that alters 
netfilter config
(a firewall script ? something like an iptables-restore script ?)

if you don't find differences :

check if the ip_forward parameter is still 1 (maybe there's something 
that switch it off
by night ?)

stop netfilter and check if something can go through your netcard...
if no... i'd suggest to check the driver of the netcard... and perhaps 
the netcard itself.
if yes forget this point

check to see if resetting netfiler and giving again the config is enough...
-> maybe there's a memory problem that drives your netfilter version to 
crash

check the known bugs related to your kernel version and your netfilter 
version...

you'd maybe have to compile a new kernel...


hope this can help,
Pascal


Vladimir Potapov wrote:

>Yesterday at evening my packet filter with iptables worked fine.Today at morning , I see that he don't forwarding packet from DMZ to local and back.And this thing I see every morning.After I reboot my machine it's work fine.I think that my 3com cards have some bugs.In log there no entries about this . My rules is:
>
>
>#Allow from local to DMZ and back
>
>
>-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth1 -o eth2 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
>
>-A FORWARD -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
>
>-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
>
>-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
>
>-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
>
>
>
>  
>