Iptables DNS only from one ip address

**pompalomp** · 04-16-2012

Hi,

I have a question set for a computing class:

You have a network in which there are 4 computers on an internal network which all pass through the gateway labelled "gw1".

You must construct an iptables rule set in which only the machine called "dns1" (with the ip address of 146.227.150.220) is allowed to make outbound DNS requests (UDP port 53) and receive the associated replies. All other inbound and outbound UDP traffic is not permitted. The interface in use is eth0.

I came up with the solution of:

Iptables -I INPUT -i eth0 -p UDP -d 146.227.150.220 --dport 53 -j accept
Iptables -I OUTPUT -i eth0 -p UDP -s 146.227.150.220 --dport 53 -j accept
Iptables -I INPUT -i eth0 -p UDP -j DROP
Iptables -I OUTPUT -i eth0 -p UDP -j DROP

However this is incorrect. Can anyone explain why I am wrong, and maybe point me in the correct direction?

Thanks,

Pompalomp

**Kloschüssel** · 04-16-2012

Hi

I believe that You don't need the DROP on the OUTPUT chain.

Cheers

**BrianMicek** · 04-17-2012

Originally Posted by pompalomp

Hi,

I have a question set for a computing class:

You have a network in which there are 4 computers on an internal network which all pass through the gateway labelled "gw1".

You must construct an iptables rule set in which only the machine called "dns1" (with the ip address of 146.227.150.220) is allowed to make outbound DNS requests (UDP port 53) and receive the associated replies. All other inbound and outbound UDP traffic is not permitted. The interface in use is eth0.

I came up with the solution of:

Iptables -I INPUT -i eth0 -p UDP -d 146.227.150.220 --dport 53 -j accept
Iptables -I OUTPUT -i eth0 -p UDP -s 146.227.150.220 --dport 53 -j accept
Iptables -I INPUT -i eth0 -p UDP -j DROP
Iptables -I OUTPUT -i eth0 -p UDP -j DROP

However this is incorrect. Can anyone explain why I am wrong, and maybe point me in the correct directi
Thanks,

Pompalomp

This is a really good question. I haven't tried this out and I don't think its what your instructor is looking for, but I'd use Netfilter's ESTABLISHED state (yes, on UDP). I think your rule for gw1 would look something like this assuming .200 was free to send datagrams to the Internet.

Code:

# Accept only replies from queries
iptables --append INPUT --match state --state ESTABLISHED \
 --protocol udp --destination 146.227.150.220 \
--destination-port 53 --jump ACCEPT
#  Only allow datagrams outgoing on UDP/53
iptables --append OUTPUT --protocol udp --source-port 53 \
--source 146.227.150.220  --jump ACCEPT
#  Drop all other incoming and outgoing packets here

**Balda** · 04-17-2012

Hi,

the DROP rules are ok, as the instruction says "All other inbound and outbound UDP traffic is not permitted."

However, it also says that "only dns1 is allowed to make outbound DNS requests", so the dns1 is the source of the request (-s 146.227.150.220) and the destination is DNS server listening on port 53 (--dport 53).

And the second should receive the associated replies. The replies from DNS server go from port 53 (--sport 53) and to destination dns1 (-d 146.227.150.220).

Balda

**Lazydog** · 04-17-2012

Per forum rules homework questions are not allowed. I will point you in the right direction as you have made an attempt to work it out. Look at FOWARD. You can read up on it HERE

Thread Tools

Display

Iptables DNS only from one ip address

Posting Permissions