FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-15-2008, 04:34 PM
Robert Moskowitz
 
Default Help with iptables rule for blocking UDP port 53

Sean Carolan wrote:

I would like to block all DNS queries that come from one particular ip
address. I used TCPdump to verify that the queries were in fact,
coming from this IP:

[scarolan@server:~]$ sudo tcpdump -n udp port 53 and src 10.100.1.1
tcpdump: listening on eth0
11:12:17.162100 10.100.1.1.19233 > 10.100.1.61.domain: 14270+ A?
server.domain.com. (32) (DF)



Looks to me that you have a larger problem. Is this an rfc1918 address
coming from the outside? You should be blocking ALL rfc1918 addresses
from the Internet, as they are by definition an attack.


If this is from an internal source, go to that source and figure out
what it is doing.


rfc1918 defines PRIVATE ipv4 addresses. These are not routed over the
Internet. A packet with a source address in 'Net1' will never route out
back to the sender. It is intended to attack (in some way) the destination.



Could someone help with the proper syntax for an IPtables rule to
block port 53 udp traffic from this IP? I tried this rule but it
doesn't work:

-A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 04:47 PM
"Sean Carolan"
 
Default Help with iptables rule for blocking UDP port 53

> Looks to me that you have a larger problem. Is this an rfc1918 address
> coming from the outside? You should be blocking ALL rfc1918 addresses from
> the Internet, as they are by definition an attack.

Hi Robert, thanks for the reply. This is in fact what I am trying to
do. We have a load-balancing device in front of this DNS server. It
is configured so that all Internet traffic that comes through appears
to originate from 10.100.1.1.

> rfc1918 defines PRIVATE ipv4 addresses. These are not routed over the
> Internet. A packet with a source address in 'Net1' will never route out back
> to the sender. It is intended to attack (in some way) the destination.

Yep, these are internal DNS servers that were mis-configured by the
previous admin. I'm trying to do some cleanup and make sure that they
are not available to the public internet.

What is confusing me is why my iptables rule is not working correctly.
TCPdump shows that the source is correct. Any ideas?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 04:55 PM
"nate"
 
Default Help with iptables rule for blocking UDP port 53

Sean Carolan wrote:

> What is confusing me is why my iptables rule is not working correctly.
> TCPdump shows that the source is correct. Any ideas?

try blocking tcp as well, most name servers listen on both tcp and
udp.

portal:~# netstat -anp | grep :53 | grep named
tcp 0 0 10.10.10.1:53 0.0.0.0:* LISTEN
12978/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
12978/named
tcp 0 0 216.39.174.24:53 0.0.0.0:* LISTEN
12976/named
udp 0 0 10.10.10.1:53 0.0.0.0:*
12978/named
udp 0 0 127.0.0.1:53 0.0.0.0:*
12978/named
udp 0 0 216.39.174.24:53 0.0.0.0:*
12976/named



nate

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 05:00 PM
"Sean Carolan"
 
Default Help with iptables rule for blocking UDP port 53

On Tue, Jul 15, 2008 at 11:55 AM, nate <centos@linuxpowered.net> wrote:
> Sean Carolan wrote:
>
>> What is confusing me is why my iptables rule is not working correctly.
>> TCPdump shows that the source is correct. Any ideas?
>
> try blocking tcp as well, most name servers listen on both tcp and
> udp.

I do have a rule for blocking TCP, forgot to mention that. You can
see from my tcpdump output above that the inbound packet is UDP
though. I wonder why iptables doesn't block it even with this rule?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 05:15 PM
"Sean Carolan"
 
Default Help with iptables rule for blocking UDP port 53

> I do have a rule for blocking TCP, forgot to mention that. You can
> see from my tcpdump output above that the inbound packet is UDP
> though. I wonder why iptables doesn't block it even with this rule?

The really strange part about this is, if I remove the ACCEPT rules
that are further down in my iptables config, NO dns traffic gets
through at all, due to the final REJECT rule:

ACCEPT tcp -- anywhere anywhere tcp
dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp
dpt:domain state NEW
...
...
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited

So iptables does seem to be able to properly recognize udp port 53
traffic, it's just not filtering correctly against the source IP
address.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 05:19 PM
kfx
 
Default Help with iptables rule for blocking UDP port 53

Sean Carolan wrote:

I would like to block all DNS queries that come from one particular ip
address. I used TCPdump to verify that the queries were in fact,
coming from this IP:

[scarolan@server:~]$ sudo tcpdump -n udp port 53 and src 10.100.1.1
tcpdump: listening on eth0
11:12:17.162100 10.100.1.1.19233 > 10.100.1.61.domain: 14270+ A?
server.domain.com. (32) (DF)

Could someone help with the proper syntax for an IPtables rule to
block port 53 udp traffic from this IP? I tried this rule but it
doesn't work:

-A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT


Strange...your rule seems ok to me. Try with DROP instead of REJECT ?

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 05:26 PM
"Sean Carolan"
 
Default Help with iptables rule for blocking UDP port 53

> Strange...your rule seems ok to me. Try with DROP instead of REJECT ?

Nice! it works
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 06:43 PM
"nate"
 
Default Help with iptables rule for blocking UDP port 53

Sean Carolan wrote:

> I do have a rule for blocking TCP, forgot to mention that. You can
> see from my tcpdump output above that the inbound packet is UDP
> though. I wonder why iptables doesn't block it even with this rule?

Try to insert the rule (-I) instead of append (-A). I recall encountering
weirdness between using the two different methods for adding a rule.
I don't know why, but it seems to make a difference in some cases.
The man page doesn't make it clear to me what the difference is and why
it (might) cause a change of behavior.

I'm not an iptables expert, for my real firewalls I use OpenBSD.

nate


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 06:46 PM
"Sean Carolan"
 
Default Help with iptables rule for blocking UDP port 53

On Tue, Jul 15, 2008 at 1:43 PM, nate <centos@linuxpowered.net> wrote:
> Sean Carolan wrote:
>
>> I do have a rule for blocking TCP, forgot to mention that. You can
>> see from my tcpdump output above that the inbound packet is UDP
>> though. I wonder why iptables doesn't block it even with this rule?
>
> Try to insert the rule (-I) instead of append (-A). I recall encountering
> weirdness between using the two different methods for adding a rule.
> I don't know why, but it seems to make a difference in some cases.
> The man page doesn't make it clear to me what the difference is and why
> it (might) cause a change of behavior.

I might try this on a dev box, but I'm actually happy with the new
DROP rule. It may be better just to drop the traffic and not let the
world know a DNS server even exists at this address.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2008, 08:46 PM
Robert Spangler
 
Default Help with iptables rule for blocking UDP port 53

On Tuesday 15 July 2008 14:43, nate wrote:

> Try to insert the rule (-I) instead of append (-A). I recall encountering
> weirdness between using the two different methods for adding a rule.
> I don't know why, but it seems to make a difference in some cases.
> The man page doesn't make it clear to me what the difference is and why
> it (might) cause a change of behavior.

(-A) Appends the new rule at the end of the chain.

(-I) will insert it at the beginning when no line number is given.

Man iptables for this information

-A, --append chain rule-specification
Append one or more rules to the end of the selected chain.
When the source and/or destination names resolve to more than one address, a
rule will be added for each possible address combination.

-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule number. So,
if the rule number is 1, the rule or rules are inserted at the head of the
chain. This is also the default if no rule number is specified.


--

Regards
Robert

Smile... it increases your face value!
Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org