Results 1 to 8 of 8
Hi,
I am having problem with my DNS server when using this iptables config. Any one can suggest a solution?
*filter
# Samba
-A INPUT -p udp -m udp --dport ...
- 08-12-2011 #1Just Joined!
- Join Date
- Jan 2011
- Posts
- 6
DNS in iptables?
Hi,
I am having problem with my DNS server when using this iptables config. Any one can suggest a solution?
*filter
# Samba
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
# SYN Flood Protection
-A INPUT -p tcp --syn -m limit --limit 5/second -j ACCEPT
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows SSH connections
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# My webmin custom port
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
#POP mail <br>
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT --syn
#SMTP Traffic <br>
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT --syn
#HTTP <br>
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --syn
#HTTPS <br>
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT --syn
# IMAP mail services <br>
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT --syn
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# DNS
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT --syn
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT
# Localhost traffic <br>
-A INPUT -i lo -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j DROP
# The below commits the rules to production for iptables to execute <br>
COMMIT
- 08-13-2011 #2Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,279
I would change your complete firewall rules. From what I see you are mixing STATEFUL with CONNECTION and I would not do this.
To your original question on DNS
Change
toCode:# DNS -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT --syn -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT
Since DNS uses both TCP and UDP there is no real reason to make more then one statement in your rules.Code:# DNS -A INPUT -m state --state NEW --dport 53 -j ACCEPT
I would move
To the top of your rules lists. Remember rules are read and executed top down.Code:# Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Then I would add the -m state --state NEW to all your rules and remove the --syn from the end of any rule that has it astakes care of your syn.Code:# SYN Flood Protection -A INPUT -p tcp --syn -m limit --limit 5/second -j ACCEPT
- 08-13-2011 #3Just Joined!
- Join Date
- Jan 2011
- Posts
- 6
Hi Robert,
Thanks a lot for your help.
I did all the modifications you suggested but the new DNS rule seems to generate this error:
iptables-restore v1.4.2: Unknown arg `(null)'
Also I was not sure if the two last rules need the "-m state --state NEW" you suggested since they are the catch all the rest rules:
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j DROP
- 08-13-2011 #4Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,279
Is the above your complete rule set?
Try the following:
Code:#!/bin/bash iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --syn -m limit --limit 5/second -j ACCEPT iptables -A INPUT -m state --state NEW --dport 53 -j ACCEPT iptables -A INPUT -m state --state NEW -p udp -m udp --dport 137 -j ACCEPT iptables -A INPUT -m state --state NEW -p udp -m udp --dport 138 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 10000 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 110 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 25 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
- 08-13-2011 #5Just Joined!
- Join Date
- Jan 2011
- Posts
- 6
Hi Robert,
I am getting this error if I don't comment the line of the DNS filter:
iptables v1.4.2: Unknown arg `(null)'
Try `iptables -h' or 'iptables --help' for more information.
All the rest seemed to be accepted by iptables.
- 08-14-2011 #6Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,279
You do need the tcp/udp in the rules for Stateful tracking. Sorry about that.
The following should work:
What the above does is setup your firewall to be STATEFUL.Code:#!/bin/bash iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --syn -m limit --limit 5/second -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT iptables -A INPUT -m state --state NEW -p udp -m udp --dport 137 -j ACCEPT iptables -A INPUT -m state --state NEW -p udp -m udp --dport 138 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 10000 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 110 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 25 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
- 08-15-2011 #7Just Joined!
- Join Date
- Jan 2011
- Posts
- 6
Hi Robert,
Great, it works now!
Thanks a lot for your help.
- 08-15-2011 #8Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,279
Glad I was able to help you.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
