Re: iptables firewall script for debian-woody, 2.4.24

From: Dalibor Straka (dast_at_panelnet.cz)
Date: 05/19/04

  • Next message: Paolo Campanella: "RE: Secure Form Script?"
    Date: Wed, 19 May 2004 19:11:57 +0200
    To: focus-linux@securityfocus.com
    
    

    On Wed, May 19, 2004 at 04:08:16PM -0000, Jim wrote:
    > In-Reply-To: <4071BC2D.6060205@delfi.lt>
    >
    > >Gord Philpott wrote:
    > >>> I have used the script on other systems, and have commented out the
    > >>> ports that are not needed for this setup. When I nmap the server
    > >>> with the firewall script off, I get different results than when the
    > >>> firewall script is on. I am looking to have the ports needed to run
    > >>> DNS and SSH available regardless of the firewall status.
    > >
    > >>> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    > >>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
    > >>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
    > >>> $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
    > >
    > >You hope, that destination port for incoming DNS queries will be 53.
    > >This is not true. The same is for SSH.
    >
    > This thought is wrong. Of cause SSH and DNS are
    > services, which are connected on th ports 22 and 53 as
    > destination, so in principle, this should work.
    > But only for TCP, as you only allow traffic TO
    > those ports, not the other way round. So what
    > you're missing are most responses on UDP, since
    > not all DNS - queries also use port 53 on their
    > local side, especially NMAP won't work that way,
    > and your STATE=RELATED does not seem to work
    > (and "ESTABLISHED" is always wrong in UDP), so
    > I would add the following lines:
    > $IPTABLES -A OUTPUT -p udp --source-port 53 -j ACCEPT
    > same for the other port, that did not work.
    >

    I haven't seen the firewall skript but if dns query uses any sourceport
    greater than 1024 (otherwise must be run with root privileges) and
    destination is always 53, then
    > >>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT
    > >>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT,
    is OK. To receive an answer you need
    $IPTABLES -A INPUT -p udp --source-port 53 -j ACCEPT.
    Maybe you wanted to write INPUT?

    -- Dalibor Straka


  • Next message: Paolo Campanella: "RE: Secure Form Script?"

    Relevant Pages

    • Re: Connecting to Linux machine remotely
      ... The way to connect to a machine from a remote location is via ssh. ... want to connect from which queries the dns server of my ISP every 5 min ... ]> need you can forward tcp ports through ssh. ...
      (comp.os.linux.networking)
    • Re: Connecting to Linux machine remotely
      ... need you can forward tcp ports through ssh. ... Use dynamic DNS to find my home PC on dynamic adsl. ... connected to factory LAN computer. ...
      (comp.os.linux.networking)
    • Working out a OS X 10.4 Tiger ssh implementation issue, slow logins
      ... ssh logins take in excess of 30 seconds to instantiate a connection to ... DNS servers. ... If I change to my own recursive resolver, ... There are tons of NXDOMAIN for many of the comcast NS's ...
      (comp.security.ssh)
    • Working out a OS X 10.4 Tiger ssh implementation issue, slow logins
      ... and various solutions to an issue where ssh ... If I change to my own recursive resolver, ... seem to be DNS related, but I am not sure just exactly where. ... There are tons of NXDOMAIN for many of the comcast NS's ...
      (SSH)
    • RE: SSH with a central host list?
      ... SSH with a central host list? ... DNS name and/or IP address in a list. ... added or removed then each member of the ... I have been asked to see if there is a secure shell client, ...
      (SSH)