Re: iptables firewall script for debian-woody, 2.4.24
From: Dalibor Straka (dast_at_panelnet.cz)
Date: Wed, 19 May 2004 19:11:57 +0200 To: email@example.com
On Wed, May 19, 2004 at 04:08:16PM -0000, Jim wrote:
> In-Reply-To: <4071BC2D.firstname.lastname@example.org>
> >Gord Philpott wrote:
> >>> I have used the script on other systems, and have commented out the
> >>> ports that are not needed for this setup. When I nmap the server
> >>> with the firewall script off, I get different results than when the
> >>> firewall script is on. I am looking to have the ports needed to run
> >>> DNS and SSH available regardless of the firewall status.
> >>> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
> >>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
> >>> $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
> >You hope, that destination port for incoming DNS queries will be 53.
> >This is not true. The same is for SSH.
> This thought is wrong. Of cause SSH and DNS are
> services, which are connected on th ports 22 and 53 as
> destination, so in principle, this should work.
> But only for TCP, as you only allow traffic TO
> those ports, not the other way round. So what
> you're missing are most responses on UDP, since
> not all DNS - queries also use port 53 on their
> local side, especially NMAP won't work that way,
> and your STATE=RELATED does not seem to work
> (and "ESTABLISHED" is always wrong in UDP), so
> I would add the following lines:
> $IPTABLES -A OUTPUT -p udp --source-port 53 -j ACCEPT
> same for the other port, that did not work.
I haven't seen the firewall skript but if dns query uses any sourceport
greater than 1024 (otherwise must be run with root privileges) and
destination is always 53, then
> >>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT
> >>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT,
is OK. To receive an answer you need
$IPTABLES -A INPUT -p udp --source-port 53 -j ACCEPT.
Maybe you wanted to write INPUT?
-- Dalibor Straka