iptables rules to allow name service through firewall - Security

This is a discussion on iptables rules to allow name service through firewall - Security ; Can you all help me set up a proper set of iptables rules to allow name service to run on my server? I have: -A INPUT -p udp --sport 53 -j ACCEPT -A INPUT -p udp --dport 53 -j ACCEPT ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: iptables rules to allow name service through firewall

  1. iptables rules to allow name service through firewall


    Can you all help me set up a proper set of iptables rules to allow name
    service to run on my server?

    I have:

    -A INPUT -p udp --sport 53 -j ACCEPT
    -A INPUT -p udp --dport 53 -j ACCEPT
    -A INPUT -p tcp --sport 53 -j ACCEPT
    -A INPUT -p tcp --dport 53 -j ACCEPT
    -A INPUT -p udp --sport 1024:65535 -j ACCEPT
    -A INPUT -p udp --dport 1024:65535 -j ACCEPT

    FORWARD rules are set up the same.

    OUTPUT rules allow everything except telnet.

    External hosts trying to access the name server can't get to it. If I
    turn off iptables everything works fine.

    What am I missing?

    Thanks...


  2. Re: iptables rules to allow name service through firewall

    "C. J. Clegg" (06-11-01 21:28:39):

    > Can you all help me set up a proper set of iptables rules to allow
    > name service to run on my server?
    >
    > I have:
    >
    > -A INPUT -p udp --sport 53 -j ACCEPT
    > -A INPUT -p udp --dport 53 -j ACCEPT
    > -A INPUT -p tcp --sport 53 -j ACCEPT
    > -A INPUT -p tcp --dport 53 -j ACCEPT
    > -A INPUT -p udp --sport 1024:65535 -j ACCEPT
    > -A INPUT -p udp --dport 1024:65535 -j ACCEPT
    >
    > FORWARD rules are set up the same.
    >
    > OUTPUT rules allow everything except telnet.
    >
    > External hosts trying to access the name server can't get to it. If I
    > turn off iptables everything works fine.


    You can't "turn iptables off", but you might have forgotten to set
    /proc/sys/net/ipv4/ip_forward to 1.


    Regards,
    E.S.

  3. Re: iptables rules to allow name service through firewall

    On Thu, 02 Nov 2006 21:15:07 +0100, Ertugrul Soeylemez wrote:

    > You can't "turn iptables off",


    Good evening, E.S.

    Sure I can ... "/etc/rc.d/init.d/iptables stop" does it.

    > but you might have forgotten to set
    > /proc/sys/net/ipv4/ip_forward to 1.


    Hmmm ... yes, it is set to zero ... and yet everything else about my
    iptables configuration works as design (passes what I told it to pass,
    blocks what I told it to block...).

    I have one foot out the door but I'll try it later this evening and report
    back.

    Thanks...


  4. Re: iptables rules to allow name service through firewall

    On Thu, 02 Nov 2006 21:15:07 +0100, Ertugrul Soeylemez wrote:

    > you might have forgotten to set
    > /proc/sys/net/ipv4/ip_forward to 1.


    Good morning, E.S.

    I looked up ip_forward ... isn't that intended to control use of the
    computer as a router, i.e. forwarding IP packets to other hosts?

    That isn't what I'm doing here... the iptables firewall is just intended
    to control what goes into or out of its own machine.



  5. Re: iptables rules to allow name service through firewall

    On 02.11.2006, C. J. Clegg wrote:
    >
    > Can you all help me set up a proper set of iptables rules to allow name
    > service to run on my server?
    >
    > I have:
    >
    > -A INPUT -p udp --sport 53 -j ACCEPT
    > -A INPUT -p udp --dport 53 -j ACCEPT
    > -A INPUT -p tcp --sport 53 -j ACCEPT
    > -A INPUT -p tcp --dport 53 -j ACCEPT
    > -A INPUT -p udp --sport 1024:65535 -j ACCEPT
    > -A INPUT -p udp --dport 1024:65535 -j ACCEPT
    >
    > FORWARD rules are set up the same.
    >
    > OUTPUT rules allow everything except telnet.
    >
    > External hosts trying to access the name server can't get to it. If I
    > turn off iptables everything works fine.
    >
    > What am I missing?


    I think that the problem lies somewhere else. Could you post your whole
    firewall script?

    --
    Niektórzy lubi± dozziego...
    Oczywi¶cie szanujemy ich.
    Stanislaw Klekot

  6. Re: iptables rules to allow name service through firewall

    On Fri, 03 Nov 2006 13:57:35 +0000, Stachu 'Dozzie' K. wrote:

    > I think that the problem lies somewhere else. Could you post your whole
    > firewall script?


    Good morning, Dozzie.

    Yeah, I did that once before in another thread on this NG and was told I
    shouldn't do that, it's a security risk.

    I'm not real sure why, it's not like my firewall is doing anything unusual. :-)

    I think I may have my answer but if what I am about to try doesn't work,
    I'll post my rules list here.

    Thanks...


  7. Re: iptables rules to allow name service through firewall

    On 03.11.2006, C. J. Clegg wrote:
    > On Fri, 03 Nov 2006 13:57:35 +0000, Stachu 'Dozzie' K. wrote:
    >
    >> I think that the problem lies somewhere else. Could you post your whole
    >> firewall script?

    >
    > Good morning, Dozzie.
    >
    > Yeah, I did that once before in another thread on this NG and was told I
    > shouldn't do that, it's a security risk.
    >
    > I'm not real sure why, it's not like my firewall is doing anything unusual. :-)


    I don't think it's a security risk, too. Firewall should defend the
    network effectively regardless whether it's known to attacker or not.

    > I think I may have my answer but if what I am about to try doesn't work,
    > I'll post my rules list here.


    OK.

    --
    Niektórzy lubi± dozziego...
    Oczywi¶cie szanujemy ich.
    Stanislaw Klekot

  8. Re: iptables rules to allow name service through firewall

    "C. J. Clegg" (06-11-03 08:46:24):

    > > you might have forgotten to set
    > > /proc/sys/net/ipv4/ip_forward to 1.

    >
    > I looked up ip_forward ... isn't that intended to control use of the
    > computer as a router, i.e. forwarding IP packets to other hosts?
    >
    > That isn't what I'm doing here... the iptables firewall is just
    > intended to control what goes into or out of its own machine.


    Yes, and this is in fact forwarding. Those packets, which pass the
    router (whose destination is not the router itself), pass through the
    router, i.e. they get forwarded to some other host.

    By the way, on that occassion I would just install a DNS cache. This
    greatly speeds up DNS lookups. Have a look at djbdns [1].


    Regards,
    E.S.


    References:
    [1] http://cr.yp.to/djbdns.html

  9. Re: iptables rules to allow name service through firewall

    Ertugrul Soeylemez wrote:
    > "C. J. Clegg" (06-11-03 08:46:24):
    >
    >
    >>>you might have forgotten to set
    >>>/proc/sys/net/ipv4/ip_forward to 1.

    >>
    >>I looked up ip_forward ... isn't that intended to control use of the
    >>computer as a router, i.e. forwarding IP packets to other hosts?
    >>
    >>That isn't what I'm doing here... the iptables firewall is just
    >>intended to control what goes into or out of its own machine.

    >
    >
    > Yes, and this is in fact forwarding. Those packets, which pass the
    > router (whose destination is not the router itself), pass through the
    > router, i.e. they get forwarded to some other host.
    >
    > By the way, on that occassion I would just install a DNS cache. This
    > greatly speeds up DNS lookups. Have a look at djbdns [1].
    >
    >
    > Regards,
    > E.S.
    >
    >
    > References:
    > [1] http://cr.yp.to/djbdns.html


    In simple networks, dnsmasq is a simpler alternative for local
    name service and cacheing.

    .

    --

    Tauno Voipio
    tauno voipio (at) iki fi

+ Reply to Thread