Iptables DNS problems

he there,

I'm having problem with my IP tables allowing DNS queries,

here is my F/w Script

----start scriot ------
#!/bin/sh

LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"


# Drop ICMP echo-request messages sent to broadcast or multicast
addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains
$IPTABLES --flush

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies
#$IPTABLES --policy INPUT DROP
#$IPTABLES --policy OUTPUT DROP
#$IPTABLES --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state
--state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state
--state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state
--state NEW -j ACCEPT

# Allow ntp synchronization
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state
--state NEW -j ACCEPT

# Allow Squid to proxy http, https
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state
--state NEW -j ACCEPT
---end script---

my squid wont work , nor does browsing from the local f/w box.

It does work if i change default policy to DENY ?

any idea's i'm running on RH9.0

thanx

On 2006-01-17, Vampyre <(E-Mail Removed)> wrote:
>
> I'm having problem with my IP tables allowing DNS queries,
>
> ----start scriot ------
> #!/bin/sh
>
> LAN="eth1"
> INTERNET="eth0"
> IPTABLES="/sbin/iptables"
>
> # Drop ICMP echo-request messages sent to broadcast or multicast
> addresses
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Drop source routed packets
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> # Enable TCP SYN cookie protection from SYN floods
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> # Don't accept ICMP redirect messages
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> # Don't send ICMP redirect messages
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>
> # Enable source address spoofing protection
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> # Log packets with impossible source addresses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
>
> # Flush all chains
> $IPTABLES --flush
>
> # Allow unlimited traffic on the loopback interface
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> # Set default policies
> #$IPTABLES --policy INPUT DROP
> #$IPTABLES --policy OUTPUT DROP
> #$IPTABLES --policy FORWARD DROP
>
> # Previously initiated and accepted exchanges bypass rule checking
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow incoming port 22 (ssh) connections on LAN interface
> $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state
> --state NEW -j ACCEPT
>
> # Allow incoming port 3128 (squid) connections on LAN interface
> $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state
> --state NEW -j ACCEPT
>
> # Allow ICMP ECHO REQUESTS on LAN interface
> $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
>
> # Allow DNS resolution
> $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state
> --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state
> --state NEW -j ACCEPT
>
> # Allow ntp synchronization
> $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state
> --state NEW -j ACCEPT
>
> # Allow Squid to proxy http, https
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state
> --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state
> --state NEW -j ACCEPT
> ---end script---
>
> my squid wont work , nor does browsing from the local f/w box.
>
> It does work if i change default policy to DENY ?


Hmmm... this looks strangely familiar :-)

First of all, it looks like browsing from *this* machine (the one on
which the iptables rules are applied) should work fine - if that's
not the case, then perhaps there's more to this...

However, you have no rules at all in the FORWARD chain, so this box
will not forward packets to/from the internet to/from any other hosts.

I would recommend setting the default OUTPUT policy to ACCEPT and get
basic connectivity established before trying to filter in that chain
(or bypass filtering in OUTPUT completely - it's of questionable
benefit anyway).

Also, there is no default policy of DENY - please elaborate on what
you mean...

RW

--

http://rlworkman.net

by default poilicy i mean for each chain

# Set default policies
#$IPTABLES --policy INPUT DROP
#$IPTABLES --policy OUTPUT DROP
#$IPTABLES --policy FORWARD DROP

for now i do not want forwarding
because i use a squid for all www browsing on the lan ,

when i run this script on the firewall box, i cant even browse on the
firewall box
running dig www.ibm.com = time out so it is clearly not allowing any
dns traffic out

it seem that all machine on the lan can ssh to the firewall box no
problems yet i have not allowed that ????

all help is appreciated.

"Vampyre" <(E-Mail Removed)> said:
>when i run this script on the firewall box, i cant even browse on the
>firewall box
>running dig www.ibm.com = time out so it is clearly not allowing any
>dns traffic out

While running that 'dig', monitor with 'iptables -vL --line-numbers',
to see which rules have increasing packet/byte counters.

>it seem that all machine on the lan can ssh to the firewall box no
>problems yet i have not allowed that ????

Hmm.. then could be that you have some unexpected rules in somewhere;
take a look at the output of 'iptables-save'.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Vampyre wrote:
> he there,
>
> I'm having problem with my IP tables allowing DNS queries,
>
> here is my F/w Script
>
> ----start scriot ------
> #!/bin/sh
>
> LAN="eth1"
> INTERNET="eth0"
> IPTABLES="/sbin/iptables"
>
>
> # Drop ICMP echo-request messages sent to broadcast or multicast
> addresses
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Drop source routed packets
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> # Enable TCP SYN cookie protection from SYN floods
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> # Don't accept ICMP redirect messages
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> # Don't send ICMP redirect messages
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>
> # Enable source address spoofing protection
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> # Log packets with impossible source addresses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
>
> # Flush all chains
> $IPTABLES --flush
>
> # Allow unlimited traffic on the loopback interface
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> # Set default policies
> #$IPTABLES --policy INPUT DROP
> #$IPTABLES --policy OUTPUT DROP
> #$IPTABLES --policy FORWARD DROP
>
> # Previously initiated and accepted exchanges bypass rule checking
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow incoming port 22 (ssh) connections on LAN interface
> $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state
> --state NEW -j ACCEPT
>
> # Allow incoming port 3128 (squid) connections on LAN interface
> $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state
> --state NEW -j ACCEPT
>
> # Allow ICMP ECHO REQUESTS on LAN interface
> $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
>
> # Allow DNS resolution
> $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state
> --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state
> --state NEW -j ACCEPT
>
> # Allow ntp synchronization
> $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state
> --state NEW -j ACCEPT
>
> # Allow Squid to proxy http, https
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state
> --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state
> --state NEW -j ACCEPT
> ---end script---
>

You don't let established traffic out through your firewall. Try
changing the OUTPUT rules to NEW,ESTABLISHED like

$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state
--state NEW,ESTABLISHED -j ACCEPT

and

$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state
--state NEW,ESTABLISHED -j ACCEPT

aso.

Eric

Vampyre wrote:
> he there,
>
> I'm having problem with my IP tables allowing DNS queries,
>
> here is my F/w Script
>
> ----start scriot ------
> #!/bin/sh
>
> LAN="eth1"
> INTERNET="eth0"
> IPTABLES="/sbin/iptables"
>
>
> # Drop ICMP echo-request messages sent to broadcast or multicast
> addresses
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Drop source routed packets
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> # Enable TCP SYN cookie protection from SYN floods
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> # Don't accept ICMP redirect messages
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> # Don't send ICMP redirect messages
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>
> # Enable source address spoofing protection
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> # Log packets with impossible source addresses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
>
> # Flush all chains
> $IPTABLES --flush
>
> # Allow unlimited traffic on the loopback interface
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> # Set default policies
> #$IPTABLES --policy INPUT DROP
> #$IPTABLES --policy OUTPUT DROP
> #$IPTABLES --policy FORWARD DROP
>
> # Previously initiated and accepted exchanges bypass rule checking
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow incoming port 22 (ssh) connections on LAN interface
> $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state
> --state NEW -j ACCEPT
>
> # Allow incoming port 3128 (squid) connections on LAN interface
> $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state
> --state NEW -j ACCEPT
>
> # Allow ICMP ECHO REQUESTS on LAN interface
> $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
>
> # Allow DNS resolution
> $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state
> --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state
> --state NEW -j ACCEPT
>
> # Allow ntp synchronization
> $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state
> --state NEW -j ACCEPT
>
> # Allow Squid to proxy http, https
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state
> --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state
> --state NEW -j ACCEPT
> ---end script---
>
> my squid wont work , nor does browsing from the local f/w box.

It cannot work with this iptables rules! At first, you need to allow
outgoing traffic to your LAN.

$IPTABLES -A OUTPUT -o $LAN -p tcp -j ACCEPT

Also you don't let established traffic out from your firewall box. Try
changing the OUTPUT rules to NEW,ESTABLISHED like

$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state
--state NEW,ESTABLISHED -j ACCEPT

and

$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state
--state NEW,ESTABLISHED -j ACCEPT

aso.

Watch the /var/log/messages for dropped packets. It will help to
investigate further on.

Eric

On Mon, 16 Jan 2006 23:31:24 -0800, Vampyre wrote:


> I'm having problem with my IP tables allowing DNS queries,

From where are the dns queries coming from? The LAN?

> # Allow incoming port 22 (ssh) connections on LAN interface $IPTABLES -A
> INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j
> ACCEPT

Why would you allow SSH from the internet to your firewall? You never
ever allow connections from the internet to your firewall. Should the box
ever be cracked you're toast.

If you need access to your firewall from the internet pass it through to
another system on the LAN and allow that system to ssh to your firewall.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

well i allow it because i need to remotely login from home and do work.