IPTables and DNS

[Saeed42]

In a attempt to make our DNS servers more secure I was asked (more like forced) to look into iptables and I have to admit I know almost next to nothing in this, after doing a bit of digging around I managed to enable IPtables on a test machine that will only accept ssh and udp:53 from anywhere, my problem is the server doesn't resolve any Non-authoritative domains until I stop iptables and after that everything seems to work fine, so my question what else do I need to allow in as all traffic is allowed to go out.



More info
Redhat 8
Bind bind-9.2.1-9
IPtables iptables-1.2.6a-2


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Morsing]

There is an option statement in BIND called something like 'query-source'. Set this to port 53 (if that's open in the firewall) and it should work.

Cheers

Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[Saeed42]

I followed your instructions and that seems to do the job, but I have 2 more questions,

1 what happens to the Notify msg will that still work or do I need to allow it through?

2 If you look at my iptables --list output you will see that in the 3rd line it says accept all -- anywhere doesn't that mean its allowing all traffic ?



target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere
ACCEPT udp -- ns1.mydomain.net anywhere udp spt:domain
REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable


Thanks in advance


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Morsing]

1) I assume notify uses port 53

2) Your output doesn't show interfaces or chains. You have to list the extended output for that, 'iptables -L -v' I think.

Cheers

Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[Saeed42]

Still having problems with IPtables, I'm trying to allow ftp from only one server and I've tried adding the following
line to the iptables "iptables -A INPUT -s 198.x.x.3 -p tcp --destination-port ftp -j ACCEPT" and goes through fine without any error messages but when I list IPtables it's not there.



target prot opt in out source destination
ACCEPT udp -- any any anywhere anywhere udp dpt:domain
ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT all -- lo any anywhere anywhere
ACCEPT udp -- any any ns1.mydomain.net anywhere udp spt:domain
REJECT tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- any any anywhere anywhere udp reject-with icmp-port-unreachable


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~