Re: How do I configure iptables to allow DNS lookups?

To: "J.A. de Vries" <J.A.deVries@dto.tudelft.nl>, debian-user@lists.debian.org
Subject: Re: How do I configure iptables to allow DNS lookups?
From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>
Date: Thu, 07 Aug 2003 10:37:02 -0400
Message-id: <[🔎] 3F32640E.9020100@yahoo.com>
In-reply-to: <[🔎] Pine.GSO.4.44.0308071044530.22568-100000@sanders.rc.tudelft.nl>
References: <[🔎] Pine.GSO.4.44.0308071044530.22568-100000@sanders.rc.tudelft.nl>

J.A. de Vries wrote:

Contrary to common belief DNS is not UDP only. Once in a while a normal query will be to large and then TCP packets are used. So TCP is not exclusively for zone-transfers.

If I understand what I've just read from a Google search, TCP is usedwhen the data exceeds 512 bytes (or as you say, for zone transfers). Isthis always to TCP port 53 on the server, or can the server indicate analternative port in it's initial UDP responsive?

Here's what I use in my iptables-script:

 if [ "$CONNECTION_TRACKING" = "1" ]; then
   iptables -A OUTPUT -o $PUB_IFACE -p udp \
            -s $PUB_IP --sport $EPHEMERAL_PORTS \
            -d $IP --dport 53 \
            -m state --state NEW -j ACCEPT

   iptables -A OUTPUT -o $PUB_IFACE -p tcp \
            -s $PUB_IP --sport $EPHEMERAL_PORTS \
            -d $IP --dport 53 \
            -m state --state NEW -j ACCEPT
 fi


What is $EPHEMERAL_PORTS defined as?  "1024:" or "1024:65535" perhaps?
What is $IP defined as?  I presume the IP address of the name server.

 iptables -A OUTPUT -o $PUB_IFACE -p udp \
          -s $PUB_IP --sport $EPHEMERAL_PORTS \
          -d $IP --dport 53 -j ACCEPT

 iptables -A OUTPUT -o $PUB_IFACE -p tcp \
          -s $PUB_IP --sport $EPHEMERAL_PORTS \
          -d $IP --dport 53 -j ACCEPT

 iptables -A INPUT -i $PUB_IFACE -p udp \
          -s $IP --sport 53 \
          -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

 iptables -A INPUT -i $PUB_IFACE -p tcp ! --syn \
          -s $IP --sport 53 \
          -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

This might be a dumb question as I've only just started reading aboutstateful packet filtering this morning... is there a reason why youdon't use the connection tracking for INPUT chain? I.e. only allowpackets from the name server for ESTABLISHED connections. It looks likeyour stateless rules try to achieve the same by dropping SYN TCP packets.

there are a couple of catch 'em lines just in case the
connection tracking module isn't loaded on that particular host.

This might be another dumb question, but how do I tell if the connectiontracking module isn't loaded? How is this configured, enabled,disabled, etc?


Cheers
Malc

Reply to:

Follow-Ups:
- Re: How do I configure iptables to allow DNS lookups?
  - From: HdV@DTO.TUDelft.NL
- Re: How do I configure iptables to allow DNS lookups?
  - From: Paul Johnson <baloo@ursine.ca>

References:
- Re: How do I configure iptables to allow DNS lookups?
  - From: "J.A. de Vries" <J.A.deVries@dto.tudelft.nl>

Prev by Date: Re: Procmail partially working
Next by Date: Re: How do I configure iptables to allow DNS lookups?
Previous by thread: Re: How do I configure iptables to allow DNS lookups?
Next by thread: Re: How do I configure iptables to allow DNS lookups?
Index(es):
- Date
- Thread