IPTABLES and NSLOOKUP

Hi,

I'm tring to build iptables on my Mandrake 10.0,kernel 2.4.27

If rule:

iptables -A INPUT -p udp -j DROP

was issued,

I can't use command:nslookup and I get error:

connection timed out; no servers could be reached

Could somebody tell me which udp port should be open so that I can use :nslookup?


TIA,

In article <(E-Mail Removed)> ,
Allan <(E-Mail Removed)> wrote:
:Hi,
:
:I'm tring to build iptables on my Mandrake 10.0,kernel 2.4.27
:
:If rule:
:
:iptables -A INPUT -p udp -j DROP
:
:was issued,
:
:I can't use command:nslookup and I get error:
:
:connection timed out; no servers could be reached
:
:Could somebody tell me which udp port should be open so that I can use
::nslookup?

Just be sure that you have a rule

-m state --state RELATED,ESTABLISHED -j ACCEPT

_before_ your DROP rule.

--
Bob Nichols AT comcast.net I am "rnichols42"

On Thu, 18 Nov 2004 00:46:39 +0000 (UTC), Robert Nichols
<(E-Mail Removed)> wrote:

>In article <(E-Mail Removed)> ,
>Allan <(E-Mail Removed)> wrote:
>:Hi,
>:
>:I'm tring to build iptables on my Mandrake 10.0,kernel 2.4.27
>:
>:If rule:
>:
>:iptables -A INPUT -p udp -j DROP
>:
>:was issued,

>:Could somebody tell me which udp port should be open so that I can use
>::nslookup?
>
>Just be sure that you have a rule
>
> -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>_before_ your DROP rule.

Robert told you what to do. I'm teaching you to fish :-).
iptables -A INPUT -p udp -j LOG
iptables -A INPUT -p udp -j DROP

Run your nslookup

iptables -D INPUT -p udp -j LOG

Check your logs - probably messages. You'll find the port(s) that
need(s) to be open there.

/etc/services has a list of ports. You'll find that 43 is whois,
which is what nslookup uses.

You may also find that DNS lookups fail because they're on UDP 53.

buck

In article <(E-Mail Removed)>, buck says...
>
>On Thu, 18 Nov 2004 00:46:39 +0000 (UTC), Robert Nichols
><(E-Mail Removed)> wrote:
>
>>In article <(E-Mail Removed)> ,
>>Allan <(E-Mail Removed)> wrote:
>>:Hi,
>>:
>>:I'm tring to build iptables on my Mandrake 10.0,kernel 2.4.27
>>:
>>:If rule:
>>:
>>:iptables -A INPUT -p udp -j DROP
>>:
>>:was issued,
>
>>:Could somebody tell me which udp port should be open so that I can use
>>::nslookup?
>>
>>Just be sure that you have a rule
>>
>> -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>>_before_ your DROP rule.
>
>Robert told you what to do. I'm teaching you to fish :-).
>iptables -A INPUT -p udp -j LOG
>iptables -A INPUT -p udp -j DROP
>
>Run your nslookup
>
>iptables -D INPUT -p udp -j LOG
>
>Check your logs - probably messages. You'll find the port(s) that
>need(s) to be open there.
>
>/etc/services has a list of ports. You'll find that 43 is whois,
>which is what nslookup uses.
>
>You may also find that DNS lookups fail because they're on UDP 53.
>

Teaching someone to fish is fine, but unless someone shows him how
to clean and cook that fish, he's still going to go hungry. ;-)

Unless the OP is trying to run a _server_ for those services, your
suggestion to open specific ports is the wrong approach. The whole
point of a stateful firewall is that reply packets can be allowed
to pass without leaving ports open. That's what the my suggested
rule accomplishes -- if the DNS query is allowed to pass through the
OUTPUT chain, then the reply to that query will be allowed through
the INPUT chain since it is RELATED traffic.

There's an excellent iptables tutorial by Oskar Andreasson available
from frozentux.net :

http://iptables-tutorial.frozentux.net/

You can read it online in HTML form, or download the complete
PostScript document.

--
Bob Nichols AT comcast.net I am "rnichols42"

In article <(E-Mail Removed)>, I wrote:
:... if the DNS query is allowed to pass through the
:OUTPUT chain, then the reply to that query will be allowed through
:the INPUT chain since it is RELATED traffic.

Minor technical error there, the reply establishes the UDP conversation
as ESTABLISHED. RELATED does not apply. I have this mental block
about using the term "established" when talking about a connectionless
protocol like UDP. I've never had occasion to write a rule that
distinguished ESTABLISHED vs. RELATED, so confusing the two hasn't
really been a problem.

--
Bob Nichols AT comcast.net I am "rnichols42"

On Thu, 18 Nov 2004 14:56:14 +0000 (UTC), Robert Nichols
<(E-Mail Removed)> wrote:

>In article <(E-Mail Removed)>, I wrote:
>:... if the DNS query is allowed to pass through the
>:OUTPUT chain, then the reply to that query will be allowed through
>:the INPUT chain since it is RELATED traffic.
>
>Minor technical error there, the reply establishes the UDP conversation
>as ESTABLISHED. RELATED does not apply. I have this mental block
>about using the term "established" when talking about a connectionless
>protocol like UDP. I've never had occasion to write a rule that
>distinguished ESTABLISHED vs. RELATED, so confusing the two hasn't
>really been a problem.

Robert,

Now that you have explained to the OP _why_, I am inclined to just
drop this. But I do want to clarify that I did NOT suggest opening
any port. I simply suggested logging the dropped information, turning
off logging so the logs don't fill up with useless crap, and then
examining the logged output. I also showed where the port to service
mappings are normally found.

I didn't read the explanation post. Did you tell the OP to REJECT udp
rather than DROP it and explain why REJECT is more appropriate for
udp?

At least I prodded you into giving an explanation :-)! Thanks for
taking the time to do that.

buck

In article <(E-Mail Removed)>, buck wrote:

>Robert told you what to do. I'm teaching you to fish :-).

Good answer, and almost all correct.

>/etc/services has a list of ports. You'll find that 43 is whois,
>which is what nslookup uses.

except that here, you blew it. nslookup != whois

[compton ~]$ whatis dig dnsquery host nslookup
dig (1) - send domain name query packets to name servers
dnsquery (1) - query domain name servers using resolver
host (1) - look up host names using domain server
nslookup (8) - query Internet name servers interactively
[compton ~]$

>You may also find that DNS lookups fail because they're on UDP 53.

Yup, and that has nothing to do with whois

Old guy

In article <(E-Mail Removed)>,
buck <(E-Mail Removed)> wrote:
:
:I didn't read the explanation post. Did you tell the OP to REJECT udp
:rather than DROP it and explain why REJECT is more appropriate for
:udp?

Nope. I'd rather not get involved in that particular religious war.
Personally, I REJECT only a few, specific UDP ports (dport==113(auth),
sport==20(FTP-data), a couple of other special cases) and DROP the
rest. I see quite a bit of unwanted UDP traffic with spoofed source
addresses (especially the Microsoft Messenger Service packets), and
REJECTing those just adds to the clutter.

--
Bob Nichols AT comcast.net I am "rnichols42"