[SLL] Good Netfilter/BIND stumper -- more details
Glenn Stone
technoshaman at liawol.org
Wed Jan 2 13:38:38 PST 2008
On Wed, Jan 02, 2008 at 01:13:10PM -0800, Mark D. Foster wrote:
>Brad Willson wrote:
>> Neither fqdn or dotted quad work for dig...both fail with
>>
>> ; <<>> DiG 9.4.2 <<>> @ns google.com
>> ; (1 server found)
>> ;; global options: printcmd
>> ;; connection timed out; no servers could be reached
>>
>> As for ping -n 64.233.167.99
>> PING 64.233.167.99 (64.233.167.99) 56(84) bytes of data.
>> 64 bytes from 64.233.167.99: icmp_seq=1 ttl=239 time=50.7 ms
>> 64 bytes from 64.233.167.99: icmp_seq=2 ttl=239 time=49.7 ms
>> 64 bytes from 64.233.167.99: icmp_seq=3 ttl=239 time=49.7 ms
>> 64 bytes from 64.233.167.99: icmp_seq=4 ttl=239 time=49.6 ms
>>
>> So...my nameserver is broken? (I'm running on 4h of sleep in the past
>> many hours)
>>
>>
>Not necessarily. I'll bet your DNS resolution works fine when you turn
>iptables off.
>Looking back at your iptables rules...
>
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited (at the end of the
>> chain followed by COMMIT)
>
>This rule essentially blocks anything not permitted above it, including your DNS replies.
>It's a good security practice to use this "default deny" stance.
>Anyway, try adding something like this above that last rule...
>-A INPUT -p udp -m udp --source w.x.y.z/32 -j ACCEPT
>where w.x.y.z is the ip address of your nameserver.
Better is
-A INPUT -p udp -m udp -s my.name.server.here --sport 53 -d 0/0 -j ACCEPT
-A INPUT -p tcp -m tcp -s my.name.server.here --sport 53 -d 0/0 -j ACCEPT
Don't allow just anything to come through from the nameserver, that's asking
for it.
The other thing one often does is allow any SYN packet from inside, and then
allow ESTABLISHED, RELATED; this will let your inside-the-firewall hosts
initiate connections but not be servers. And if you've got the FTP
conntrack module loaded, it'll handle that fun and games as well.
-- Glenn
More information about the linux-list
mailing list