Results 1 to 5 of 5
Hi, I have a question set for a computing class: You have a network in which there are 4 computers on an internal network which all pass through the gateway ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 04-16-2012 #1
- Join Date
- Jan 2008
Iptables DNS only from one ip address
I have a question set for a computing class:
You have a network in which there are 4 computers on an internal network which all pass through the gateway labelled "gw1".
You must construct an iptables rule set in which only the machine called "dns1" (with the ip address of 220.127.116.11) is allowed to make outbound DNS requests (UDP port 53) and receive the associated replies. All other inbound and outbound UDP traffic is not permitted. The interface in use is eth0.
I came up with the solution of:
Iptables -I INPUT -i eth0 -p UDP -d 18.104.22.168 --dport 53 -j accept
Iptables -I OUTPUT -i eth0 -p UDP -s 22.214.171.124 --dport 53 -j accept
Iptables -I INPUT -i eth0 -p UDP -j DROP
Iptables -I OUTPUT -i eth0 -p UDP -j DROP
However this is incorrect. Can anyone explain why I am wrong, and maybe point me in the correct direction?
- 04-16-2012 #2
I believe that You don't need the DROP on the OUTPUT chain.
- 04-17-2012 #3
- Join Date
- Jan 2011
- Fairfax, Virginia, USA
# Accept only replies from queries iptables --append INPUT --match state --state ESTABLISHED \ --protocol udp --destination 126.96.36.199 \ --destination-port 53 --jump ACCEPT # Only allow datagrams outgoing on UDP/53 iptables --append OUTPUT --protocol udp --source-port 53 \ --source 188.8.131.52 --jump ACCEPT # Drop all other incoming and outgoing packets here
Last edited by BrianMicek; 04-17-2012 at 01:07 AM.
- 04-17-2012 #4
- Join Date
- Jan 2009
the DROP rules are ok, as the instruction says "All other inbound and outbound UDP traffic is not permitted."
However, it also says that "only dns1 is allowed to make outbound DNS requests", so the dns1 is the source of the request (-s 184.108.40.206) and the destination is DNS server listening on port 53 (--dport 53).
And the second should receive the associated replies. The replies from DNS server go from port 53 (--sport 53) and to destination dns1 (-d 220.127.116.11).
- 04-17-2012 #5