DNS & Iptables

[tobyheywood]

Hi all,

I am running a RH7 box which provides DNS (cacheing only), routing and firewall services. I have setup the following iptable rules

iptables -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -j DROP

In theory should the above not allow domain name resolution? If I remove the DROP rule DNS resolution works fine from within the network but not if the drop rule exists.

Do I need to setup a rule with the FORWARD table to allow connections through? Having said that I don't see why I should, as my Linux box is used for network wide DNS services.

Should it not be a case that the client talks to the server, the server then tries to resolve the name and returns the result to the client? If so there should be no need for anything in the FORWARD table.

I would be greatful if someone can suggestion what it is that I am doing wrong.

Thanks in advance and Merry Xmas.

Regards


Toby Heywood

 

[thedaver]

If you remove the DROP rule and it works, then your default rule is ACCEPT. THAT IS BAD BAD BAD! That means that the rule is wrong and the default behavior is being triggered, which is the policy you set (or didn't).

Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.

http://www.surfinbox.com/business/

 

[unixfreak]

Try setting "query-source address * port 53;" in your options section in named.conf.

Cheers

 

[tobyheywood]

Thedaver,

I am now going to show my ignorance but... when you have referred to a default rule where in iptables is this? Is there a hidden conf file somewhere?

I have looked through the howto files for netfilter/iptables and have so far found now referance to a default rule.

The only default's I can think of would be things such as the /etc/hosts.allow or /etc/hosts.deny

Unixfreak I shall give you suggestion a try and let you know of the outcome. But this does raise one question - should named be accepting queries from port 53 as default?

Thanks to both of you for your responses so far.

Regards


Toby Heywood

 

[thedaver]

Toby;

Every firewall example I've ever seen shows the ruleset beginning with something like this....:
credit:

http://oceanpark.com/notes/firewall_example.html

# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Flush (-F) all specific rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat

------------------------------------

Therefore if you implement these starting POLICIES, you cannot accept any incoming traffic until you correctly open up ports for the traffic that you seek to authorize.

Perhaps you would benefit from using a ready-to-go firewall tool that is very smart and covers these bases and MANY MORE in the default package.

I whole heartedly recommend Jay's firewall.

http://firewall-jay.sourceforge.net/

Good luck.



Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.

http://www.surfinbox.com/business/