Re: Problem with iptables

To: debian-user@lists.debian.org
Subject: Re: Problem with iptables
From: "Karl E. Jorgensen" <karl@jorgensen.org.uk>
Date: Thu, 3 May 2007 16:10:43 +0100
Message-id: <[🔎] 20070503151043.GE23060@einstein.jorgensen.org.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 4639D4F8.8050604@yahoo.it>
References: <[🔎] 4639D4F8.8050604@yahoo.it>

On Thu, May 03, 2007 at 02:26:32PM +0200, Pierguido wrote:
> I'm using Etch a server and i want to configure bind.
> After i've done everything i set up firehol (iptables parser) and
> noticed that, when firehol is on, i cannot make any request to the
> outside dns server.
>
> I checked the firehol log and i see:
> 
> May  3 14:19:54 srv-web 'OUT-unknown:' IN= OUT=eth0 MAC=
> SRC=192.168.100.2 DST=213.140.2.49 LEN=70 TOS=00 PREC=0x00 TTL=64 ID=0
> DF PROTO=UDP SPT=53 DPT=53 LEN=50

Yep - looks like an outgoing DNS query

> OUT-unknown is the default rule for the OUTPUT chain (DROP).
> 
> In my firehol setup for that interface i have these rules:
> 
>         policy drop
>         protection strong
>         server dns accept custom "--state NEW,ESTABLISHED"
>         server icmp accept
>         server http accept
>         server ftp accept
>         client all accept
> 
> This is a result of many tryings, but all without success.
> Now, as far as i can understand, it seems as the packet originated from
> my dns server is not intercepted by any rule, going then to the default
> one (DROP).

Looking at the rules, I'd concur...

> These are the rules:

[big snip]
 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination         
> ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           

Strange: With this rule as the *first* rule in the OUTPUT chain,
*everything* outgoing should be accepted, regardless of source,
destination or protocol!?

> out_lan    0    --  192.168.30.103       0.0.0.0/0           
> out_public_lan_124  0    --  192.168.100.2        0.0.0.0/0           
> out_public_lan_125  0    --  192.168.100.5        0.0.0.0/0           
> ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED 
> ULOG       0    --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `'OUT-unknown:'' queue_threshold 1 

And yet your log entry appears to be the result of this rule...

> DROP       0    --  0.0.0.0/0            0.0.0.0/0           
 
Are you 100% sure that these were the rules in effect at the time of the
log entry? It's not making sense ...

-- 
Karl E. Jorgensen
karl@jorgensen.org.uk  http://www.jorgensen.org.uk/
karl@jorgensen.com     http://karl.jorgensen.com
==== Today's fortune:
Things worth having are worth cheating for.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Problem with iptables
  - From: Pierguido <pierg75@yahoo.it>

References:
- Problem with iptables
  - From: Pierguido <pierg75@yahoo.it>

Prev by Date: Re: try vlc player instead
Next by Date: Re: problums gtng speeling chucker to wrok wit AbiWord
Previous by thread: Problem with iptables
Next by thread: Re: Problem with iptables
Index(es):
- Date
- Thread