Re: iptables and domain services...
I used Phil's rule:
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
This allows ALL connections that have been established or are related though. In your discription, you describe something much more strict. Is it possible to exploit that, or should I close it off more like you have in your chain rules?
>>> Jason Healy <email@example.com> 04/19 5:35 PM >>>
At 987717599s since epoch (04/19/01 16:59:59 -0400 UTC), Janet Post wrote:
> So you're running a DNS server?
> No. I'm just trying to get name resolution working.
> I'm still not clear on this then...What ports do I open to allow my server and the computers behind it resolve ip numbers? It is obviously NOT port 53 or my rules would work.
Right. Sorry for all the confusion. Noah and I didn't know for sure what
you were trying to do.
To get DNS resolution to work (that is, to be able to query external DNS
servers and accept the responses), you need rules that look like this:
# UDP DNS incoming responses
$IPTABLES -A INPUT -p UDP -s 0/0 --source-port domain -j ACCEPT
# TCP DNS incoming responses
$IPTABLES -A INPUT -p TCP -s 0/0 --source-port domain -j tcp_state
# note the jump to "tcp_state", which is another chain that verifies the
# state of the connection:
$IPTABLES -A tcp_state -p TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
The first line is what you're most interested in. It says that all DNS
messages that originated from a DNS server ('domain', or port 53) should be
accepted. This allows you to get back answers to your queries.
The next line does the same thing, but for TCP connections. DNS can and
does use TCP in certain situations (like when the response is too big to
send over UDP). You should let these in as well.
Note that we shouldn't just accept any old TCP connection; we should check
to make sure that it's either a new connection or part of an existing one.
Hence the third line, which performs these checks. This is what Phil was
talking about in his message.
These rules show you the basics of what needs to be done. The rules, as
shown, WILL NOT WORK BY THEMSELVES. You need to create a tcp_state chain
and add some other checks to it. I just put the rules here to show you the
kind of issues that need to be dealt with when building a firewall.
I'm more than happy to provide my entire firewall setup script to anyone
who's interested. It's strongly based on BoingWorld's sample rc.firewall
script, which can be found at:
Their tutorial is very good and provides step-by-step explainations of how
the firewall rules work. If you want a better understanding of how to build
a firewall, you should definitely check it out.
Hope this clears things up,
Jason Healy | firstname.lastname@example.org
LogN Systems | http://www.logn.net/
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org