Re: How do I configure iptables to allow DNS lookups?

• Previous message: Piers Kittel: "GDM problem"
• In reply to: Malcolm Ferguson: "How do I configure iptables to allow DNS lookups?"
• Next in thread: Malcolm Ferguson: "Re: How do I configure iptables to allow DNS lookups?"
• Reply: Malcolm Ferguson: "Re: How do I configure iptables to allow DNS lookups?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 7 Aug 2003 10:52:17 +0200 (MEST)
To: debian-user@lists.debian.org

On Wed, 6 Aug 2003, Malcolm Ferguson wrote:

> I'm trying to configure iptables as strictly as possible, however, I'm
> having problems with DNS. If I understand correctly how DNS works, the
> client sends a UDP packet from a high number port to port 53 on the name
> server. The name server responds with a UDP packet back to that high
> number port. Is this correct?
>
> I have /etc/resolv.conf containing a nameserver entry. I also have some
> name servers listed in the forwarders section of /etc/bind/named.conf.
> Is there a way to configure both bind and the normal name resolver (how
> does it work???) to always use the same port? Or, do I have to add a
> rule to the INPUT chain that ACCEPTS anything UDP from the name server?
> Obviously the name server isn't on the local LAN.

Hi Malcolm,

Contrary to common belief DNS is not UDP only. Once in a while a normal query
will be to large and then TCP packets are used. So TCP is not exclusively for
zone-transfers.

Here's what I use in my iptables-script:

  if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o $PUB_IFACE -p udp \
             -s $PUB_IP --sport $EPHEMERAL_PORTS \
             -d $IP --dport 53 \
             -m state --state NEW -j ACCEPT

    iptables -A OUTPUT -o $PUB_IFACE -p tcp \
             -s $PUB_IP --sport $EPHEMERAL_PORTS \
             -d $IP --dport 53 \
             -m state --state NEW -j ACCEPT
  fi

  iptables -A OUTPUT -o $PUB_IFACE -p udp \
           -s $PUB_IP --sport $EPHEMERAL_PORTS \
           -d $IP --dport 53 -j ACCEPT

  iptables -A OUTPUT -o $PUB_IFACE -p tcp \
           -s $PUB_IP --sport $EPHEMERAL_PORTS \
           -d $IP --dport 53 -j ACCEPT

  iptables -A INPUT -i $PUB_IFACE -p udp \
           -s $IP --sport 53 \
           -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

  iptables -A INPUT -i $PUB_IFACE -p tcp ! --syn \
           -s $IP --sport 53 \
           -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

Mind you it is somewhat double. It is something I got used to do in the
past. So there are a couple of catch 'em lines just in case the
connection tracking module isn't loaded on that particular host. You
might not need those extra lines.

Grx HdV

-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Piers Kittel: "GDM problem"
• In reply to: Malcolm Ferguson: "How do I configure iptables to allow DNS lookups?"
• Next in thread: Malcolm Ferguson: "Re: How do I configure iptables to allow DNS lookups?"
• Reply: Malcolm Ferguson: "Re: How do I configure iptables to allow DNS lookups?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]