Re: Up zone resolving for DNS through IPTABLES security
From: Felix Tiede (tiede_at_pc-tiede.de)
Date: 08/27/04
- Next message: Denver Prophit: "Re: lock password intruders"
- Previous message: Peter S: "Up zone resolving for DNS through IPTABLES security"
- In reply to: Peter S: "Up zone resolving for DNS through IPTABLES security"
- Next in thread: Tim Haynes: "Re: Up zone resolving for DNS through IPTABLES security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Aug 2004 13:29:59 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Peter S wrote:
| Really would appreciate help here!
|
| Have a dual hosted machine - eth0 to Internet, eth1 to Lan, running
| IPTABLES to provide a firewall, OS is Red Hat Linux 8, BIND 9.2.1.
|
| I have created a DNS server on this machine which works fine on the
| local zone information and for dynamic dns with DHCP. This all works
| fine.
|
| The problem however is that I cannot reach name servers for the remote
| zone with LOKKIT running on high security - a copy of the IPTABLEs
| used is below. *** If LOKKIT is not running then it works fine ****.
| The two IP addresses are my service providers DNS that I am currently
| having to use to get connectivity.
|
| I found out that BIND after version 8 uses high ports for Resolvers,
| so as recommended I added an option line to /etc/named.conf to get DNS
| to use port 53.
|
| options { query-source address * port 53; }
|
| Then I used various IPTABLE commands for --dport 53 and --sport 53 but
| to no avail.
|
| What do I need to issue in the way of IPTABLE commands to make this
| work.
|
| I have extended beyond my knowledge and despite days of trawelling
| user groups; reading manuals and postings; and trial and error I am
| still no further. I would be very grateful for assistance.
|
|
| Output from iptables-save
|
| *nat
| :PREROUTING ACCEPT [12:744]
| :POSTROUTING ACCEPT [18:1392]
| :OUTPUT ACCEPT [15:1272]
| [2:108] -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.2 !
| Obviscated!
| COMMIT
|
| *filter
| :INPUT ACCEPT [5:364]
| :FORWARD ACCEPT [6:1629]
| :OUTPUT ACCEPT [66:6945]
| :RH-Lokkit-0-50-INPUT - [0:0]
| [47:5158] -A INPUT -j RH-Lokkit-0-50-INPUT
| [26:3197] -A FORWARD -j RH-Lokkit-0-50-INPUT
| [1:48] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags
| SYN,RST,ACK SYN -j ACCEPT
| [1:60] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --tcp-flags
| SYN,RST,ACK SYN -j ACCEPT
| [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags
| SYN,RST,ACK SYN -j ACCEPT
| [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --tcp-flags
| SYN,RST,ACK SYN -j ACCEPT
| [3:241] -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
| [23:1899] -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
| [0:0] -A RH-Lokkit-0-50-INPUT -s 127.0.0.1 -p udp -m udp --sport 53 -j
| ACCEPT
| [1:290] -A RH-Lokkit-0-50-INPUT -s 212.158.192.2 -p udp -m udp --sport
| 53 -j ACCEPT
| [1:212] -A RH-Lokkit-0-50-INPUT -s 212.158.192.3 -p udp -m udp --sport
| 53 -j ACCEPT
| [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK
| SYN -j REJECT --reject-with icmp-port-unreachable
| [32:3612] -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
| --reject-with icmp-port-unreachable
| COMMIT
As far as I can see from your configuration, this has less to do with
iptables/lokkit than with your dns-configuration. It seems your bind has no
forwarders configured. In this case, it will first connect to the root
dns-servers, then to the dns of the tld, and so on. This can obviously not
work, if access to these servers is blocked by your iptables-configuration.
There are two ways to work around it:
1. Issue the following command to iptables:
#> iptables -t filter -I RH-Lokkit-0-50-INPUT 10 -p udp \
~ -m udp --sport 53 -j ACCEPT
This will allow access to all dns-servers worldwide, but is maybe a security
hole.
2. Alter your bind-configuration: Add these lines to the "options"-part of
your /etc/named.conf:
~ forward first;
~ forwarders { 212.158.192.2; 212.158.192.3; };
Thus the beginning of /etc/named.conf should look like this:
options {
~ forward first;
~ forwarders { 212.158.192.2; 212.158.192.3; };
~ query-source address * port 53;
~ // To keep the internet from querying your server:
~ allow-query { [your LANs base-IP]/24; 127.0.0.1; };
~ allow-recursion { [your LANs base-IP]/24; 127.0.0.1; };
};
This will force bind to ask your providers nameservers in case the local
cache or zones don't have the requested information. Only if this fails,
bind will try to connect to the dns root servers, which will fail and result
in an unanswered question. This way is more secure, but has also a caveat:
If your provider should change its nameservers, lokkit will know, because it
is updated by the dialin-scripts. But you will have to reconfigure bind.
Happily this doesn't happen very often.
I recommend reading the DNS-HowTo at 'http://www.tldp.org/HOWTO/DNS-HOWTO.html'.
Greetings,
Felix
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBLxs3DH+mFzdSOa0RArsgAJ0UbK5bszGzRmbaYB5o374HnsgDggCeIBkz
Np81V4Rnil3mGC07UFcYOtA=
=mwbz
-----END PGP SIGNATURE-----
- Next message: Denver Prophit: "Re: lock password intruders"
- Previous message: Peter S: "Up zone resolving for DNS through IPTABLES security"
- In reply to: Peter S: "Up zone resolving for DNS through IPTABLES security"
- Next in thread: Tim Haynes: "Re: Up zone resolving for DNS through IPTABLES security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
