Re: How do I configure iptables to allow DNS lookups?

Thu, 14 Aug 2003 12:00:34 -0700

J.A. de Vries wrote:

Contrary to common belief DNS is not UDP only. Once in a while a normal query will be to large and then TCP packets are used. So TCP is not exclusively for zone-transfers.


If I understand what I've just read from a Google search, TCP is used when the data exceeds 512 bytes (or as you say, for zone transfers). Is this always to TCP port 53 on the server, or can the server indicate an alternative port in it's initial UDP responsive?


Here's what I use in my iptables-script:

 if [ "$CONNECTION_TRACKING" = "1" ]; then
   iptables -A OUTPUT -o $PUB_IFACE -p udp \
            -s $PUB_IP --sport $EPHEMERAL_PORTS \
            -d $IP --dport 53 \
            -m state --state NEW -j ACCEPT

   iptables -A OUTPUT -o $PUB_IFACE -p tcp \
            -s $PUB_IP --sport $EPHEMERAL_PORTS \
            -d $IP --dport 53 \
            -m state --state NEW -j ACCEPT
 fi


What is $EPHEMERAL_PORTS defined as?  "1024:" or "1024:65535" perhaps?
What is $IP defined as?  I presume the IP address of the name server.


 iptables -A OUTPUT -o $PUB_IFACE -p udp \
          -s $PUB_IP --sport $EPHEMERAL_PORTS \
          -d $IP --dport 53 -j ACCEPT

 iptables -A OUTPUT -o $PUB_IFACE -p tcp \
          -s $PUB_IP --sport $EPHEMERAL_PORTS \
          -d $IP --dport 53 -j ACCEPT

 iptables -A INPUT -i $PUB_IFACE -p udp \
          -s $IP --sport 53 \
          -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT

 iptables -A INPUT -i $PUB_IFACE -p tcp ! --syn \
          -s $IP --sport 53 \
          -d $PUB_IP --dport $EPHEMERAL_PORTS -j ACCEPT


This might be a dumb question as I've only just started reading about stateful packet filtering this morning... is there a reason why you don't use the connection tracking for INPUT chain? I.e. only allow packets from the name server for ESTABLISHED connections. It looks like your stateless rules try to achieve the same by dropping SYN TCP packets.


there are a couple of catch 'em lines just in case the
connection tracking module isn't loaded on that particular host.


This might be another dumb question, but how do I tell if the connection tracking module isn't loaded? How is this configured, enabled, disabled, etc?

Cheers
Malc



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to