FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-10-2008, 07:51 PM
"Sean Carolan"
 
Default Iptables not blocking UDP port 53

I'm attempting to block access to port 53 from internet hosts for an
internal server. This device is behind a gateway router so all
traffic appears to come from source ip 10.100.1.1. Here are my
(non-working) iptables rules:

-A RH-Firewall-1-INPUT -s 10.100.1.1 -m tcp -p tcp --dport 53 -j REJECT
-A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT

Further down the ruleset I have these rules to allow traffic from
everyone else. If these rules are removed then nobody can make
queries, because of the final default REJECT rule.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

I have used tcpdump and confirmed that packets are in fact still
coming across from internet hosts. What am I doing wrong?

[scarolan@host:~]$ sudo tcpdump -n udp port 53 | grep 10.100.1.1
tcpdump: listening on eth0
14:46:40.539995 10.100.1.1.60793 > 10.100.1.61.domain: 62011+ A?
server.domain.com. (32) (DF)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-10-2008, 08:30 PM
Robert Nichols
 
Default Iptables not blocking UDP port 53

Sean Carolan wrote:

I'm attempting to block access to port 53 from internet hosts for an
internal server. This device is behind a gateway router so all
traffic appears to come from source ip 10.100.1.1. Here are my
(non-working) iptables rules:

-A RH-Firewall-1-INPUT -s 10.100.1.1 -m tcp -p tcp --dport 53 -j REJECT
-A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT

Further down the ruleset I have these rules to allow traffic from
everyone else. If these rules are removed then nobody can make
queries, because of the final default REJECT rule.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

I have used tcpdump and confirmed that packets are in fact still
coming across from internet hosts. What am I doing wrong?

[scarolan@host:~]$ sudo tcpdump -n udp port 53 | grep 10.100.1.1
tcpdump: listening on eth0
14:46:40.539995 10.100.1.1.60793 > 10.100.1.61.domain: 62011+ A?
server.domain.com. (32) (DF)


Are you running tcpdump on the same machine that is doing the filtering?
You do realize that tcpdump sees the packets as they come from the
interface and before they are passed to the filter rules, right?

Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show
your REJECT rules being hit?

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-10-2008, 08:51 PM
"Sean Carolan"
 
Default Iptables not blocking UDP port 53

> Are you running tcpdump on the same machine that is doing the filtering?
> You do realize that tcpdump sees the packets as they come from the
> interface and before they are passed to the filter rules, right?

I had forgotten this important piece of information. Thank you for
pointing this out. The packets still seem to be getting through to
the BIND daemon, however, because I can still query the box from the
Internet.

> Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show
> your REJECT rules being hit?

Yes, the rule gets hit and it returns an answer to the DNS query
anyway. I saw it increment from 10 to 11 when I ran the query:

11 692 REJECT udp -- * * 10.100.1.1
0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 04:05 AM
Robert Nichols
 
Default Iptables not blocking UDP port 53

Sean Carolan wrote:

Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show
your REJECT rules being hit?


Yes, the rule gets hit and it returns an answer to the DNS query
anyway. I saw it increment from 10 to 11 when I ran the query:

11 692 REJECT udp -- * * 10.100.1.1
0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable


I seriously doubt that the response came from this machine since
the packet that hit that rule died right there. Does the machine
that sent the request have a secondary DNS server configured?
The REJECT response would have resulted in an immediate query to
the next server.

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-12-2008, 12:03 AM
Johnny Hughes
 
Default Iptables not blocking UDP port 53

Sean Carolan wrote:

I'm attempting to block access to port 53 from internet hosts for an
internal server. This device is behind a gateway router so all
traffic appears to come from source ip 10.100.1.1. Here are my
(non-working) iptables rules:



If it is behind a gateway router, how is port 53 traffic getting from
the internet to that DNS server in the first place.


Also ... IF you are PORT FORWARDING port 53 from the internet to the DNS
server, then the SOURCE IP will not be the IP of the forwarding device,
but the IP of the machine making the request.


If this device is really behind a firewall why are you even forwarding
any traffic to it from port 53 in the first palce?



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-12-2008, 02:49 AM
"Rob Townley"
 
Default Iptables not blocking UDP port 53

On Fri, Jul 11, 2008 at 7:03 PM, Johnny Hughes <jhughes@hughesjr.com> wrote:
> Sean Carolan wrote:
>>
>> I'm attempting to block access to port 53 from internet hosts for an
>> internal server. This device is behind a gateway router so all
>> traffic appears to come from source ip 10.100.1.1. Here are my
>> (non-working) iptables rules:
>>
>
> If it is behind a gateway router, how is port 53 traffic getting from the
> internet to that DNS server in the first place.
>
> Also ... IF you are PORT FORWARDING port 53 from the internet to the DNS
> server, then the SOURCE IP will not be the IP of the forwarding device, but
> the IP of the machine making the request.
>
> If this device is really behind a firewall why are you even forwarding any
> traffic to it from port 53 in the first palce?
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

Assuming a SOHO LinkSys firewall preferably with dd-wrt alternative firmware.
Are you sure this DNS Server is not in the DMZ?
Are you sure the port isn't opened under the UPnP section? It is
conceivable that mDNS / AVAHI with a UPnP router automatically open
this port on the firewall.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org