Find the answer to your Linux question:
Results 1 to 5 of 5
Hi, I have a question set for a computing class: You have a network in which there are 4 computers on an internal network which all pass through the gateway ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2008
    Posts
    12

    Iptables DNS only from one ip address


    Hi,

    I have a question set for a computing class:

    You have a network in which there are 4 computers on an internal network which all pass through the gateway labelled "gw1".

    You must construct an iptables rule set in which only the machine called "dns1" (with the ip address of 146.227.150.220) is allowed to make outbound DNS requests (UDP port 53) and receive the associated replies. All other inbound and outbound UDP traffic is not permitted. The interface in use is eth0.

    I came up with the solution of:

    Iptables -I INPUT -i eth0 -p UDP -d 146.227.150.220 --dport 53 -j accept
    Iptables -I OUTPUT -i eth0 -p UDP -s 146.227.150.220 --dport 53 -j accept
    Iptables -I INPUT -i eth0 -p UDP -j DROP
    Iptables -I OUTPUT -i eth0 -p UDP -j DROP

    However this is incorrect. Can anyone explain why I am wrong, and maybe point me in the correct direction?

    Thanks,

    Pompalomp

  2. #2
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    Hi

    I believe that You don't need the DROP on the OUTPUT chain.

    Cheers

  3. #3
    Just Joined!
    Join Date
    Jan 2011
    Location
    Fairfax, Virginia, USA
    Posts
    94
    Quote Originally Posted by pompalomp View Post
    Hi,

    I have a question set for a computing class:

    You have a network in which there are 4 computers on an internal network which all pass through the gateway labelled "gw1".

    You must construct an iptables rule set in which only the machine called "dns1" (with the ip address of 146.227.150.220) is allowed to make outbound DNS requests (UDP port 53) and receive the associated replies. All other inbound and outbound UDP traffic is not permitted. The interface in use is eth0.

    I came up with the solution of:

    Iptables -I INPUT -i eth0 -p UDP -d 146.227.150.220 --dport 53 -j accept
    Iptables -I OUTPUT -i eth0 -p UDP -s 146.227.150.220 --dport 53 -j accept
    Iptables -I INPUT -i eth0 -p UDP -j DROP
    Iptables -I OUTPUT -i eth0 -p UDP -j DROP

    However this is incorrect. Can anyone explain why I am wrong, and maybe point me in the correct directi
    Thanks,

    Pompalomp
    This is a really good question. I haven't tried this out and I don't think its what your instructor is looking for, but I'd use Netfilter's ESTABLISHED state (yes, on UDP). I think your rule for gw1 would look something like this assuming .200 was free to send datagrams to the Internet.
    Code:
    # Accept only replies from queries
    iptables --append INPUT --match state --state ESTABLISHED \
     --protocol udp --destination 146.227.150.220 \
    --destination-port 53 --jump ACCEPT
    #  Only allow datagrams outgoing on UDP/53
    iptables --append OUTPUT --protocol udp --source-port 53 \
    --source 146.227.150.220  --jump ACCEPT
    #  Drop all other incoming and outgoing packets here
    Last edited by BrianMicek; 04-17-2012 at 01:07 AM.

  4. #4
    Just Joined!
    Join Date
    Jan 2009
    Posts
    30
    Hi,

    the DROP rules are ok, as the instruction says "All other inbound and outbound UDP traffic is not permitted."

    However, it also says that "only dns1 is allowed to make outbound DNS requests", so the dns1 is the source of the request (-s 146.227.150.220) and the destination is DNS server listening on port 53 (--dport 53).

    And the second should receive the associated replies. The replies from DNS server go from port 53 (--sport 53) and to destination dns1 (-d 146.227.150.220).

    Balda

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Per forum rules homework questions are not allowed. I will point you in the right direction as you have made an attempt to work it out. Look at FOWARD. You can read up on it HERE

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •