Re: DNS Firewall Rules
On Sat, 11 Oct 2003, James W. Thompson, II wrote:
> What sort of rules should I use for DNS under iptables, I have 3 NS I
> need to transfer to, then of course I also need to resolve names...
> But I want to lock down the ports beyond that...
I am not sure it is what you are asking for, but this is what you
need on the initiating host to allow DNS traffica. Note that this
accounts for UDP and TCP traffic. UDP alone is not enough.
#=============================================================
#Allow local DNS clients to connect to selected remote servers
#=============================================================
for IP in "${IPS[@]}"; do
if [ "$VERBOSE" = "1" ]; then
echo Processing DNS server $IP...
fi
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $PUB_IFACE -p udp \
-s $PUB_IP --sport $EPHEMERAL_PORTS \
-d $IP --dport 53 \
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -o $PUB_IFACE -p tcp \
-s $PUB_IP --sport $EPHEMERAL_PORTS \
-d $IP --dport 53 \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $PUB_IFACE -p udp \
-s $PUB_IP --sport $EPHEMERAL_PORTS \
-d $IP --dport 53 -j ACCEPT
iptables -A OUTPUT -o $PUB_IFACE -p tcp \
-s $PUB_IP --sport $EPHEMERAL_PORTS \
-d $IP --dport 53 -j ACCEPT
iptables -A INPUT -i $PUB_IFACE -p udp \
-s $IP --sport 53 \
-d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT
iptables -A INPUT -i $PUB_IFACE -p tcp ! --syn \
-s $IP --sport 53 \
-d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT
done
The variable names will probably be clear enough for you to fill them
in yourself. If not please take a look at my iptables page at
http://huizen.dto.tudelft.nl/devries/security/iptables_example.html
HTH
Grx HdV
Reply to: