I'm attempting to block access to port 53 from internet hosts for an internal server. This device is behind a gateway router so all traffic appears to come from source ip 10.100.1.1. Here are my (non-working) iptables rules:
-A RH-Firewall-1-INPUT -s 10.100.1.1 -m tcp -p tcp --dport 53 -j REJECT -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT
Further down the ruleset I have these rules to allow traffic from everyone else. If these rules are removed then nobody can make queries, because of the final default REJECT rule.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
I have used tcpdump and confirmed that packets are in fact still coming across from internet hosts. What am I doing wrong?
[scarolan@host:~]$ sudo tcpdump -n udp port 53 | grep 10.100.1.1 tcpdump: listening on eth0 14:46:40.539995 10.100.1.1.60793 > 10.100.1.61.domain: 62011+ A? server.domain.com. (32) (DF)
Sean Carolan wrote:
I'm attempting to block access to port 53 from internet hosts for an internal server. This device is behind a gateway router so all traffic appears to come from source ip 10.100.1.1. Here are my (non-working) iptables rules:
-A RH-Firewall-1-INPUT -s 10.100.1.1 -m tcp -p tcp --dport 53 -j REJECT -A RH-Firewall-1-INPUT -s 10.100.1.1 -m udp -p udp --dport 53 -j REJECT
Further down the ruleset I have these rules to allow traffic from everyone else. If these rules are removed then nobody can make queries, because of the final default REJECT rule.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
I have used tcpdump and confirmed that packets are in fact still coming across from internet hosts. What am I doing wrong?
[scarolan@host:~]$ sudo tcpdump -n udp port 53 | grep 10.100.1.1 tcpdump: listening on eth0 14:46:40.539995 10.100.1.1.60793 > 10.100.1.61.domain: 62011+ A? server.domain.com. (32) (DF)
Are you running tcpdump on the same machine that is doing the filtering? You do realize that tcpdump sees the packets as they come from the interface and before they are passed to the filter rules, right?
Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show your REJECT rules being hit?
Are you running tcpdump on the same machine that is doing the filtering? You do realize that tcpdump sees the packets as they come from the interface and before they are passed to the filter rules, right?
I had forgotten this important piece of information. Thank you for pointing this out. The packets still seem to be getting through to the BIND daemon, however, because I can still query the box from the Internet.
Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show your REJECT rules being hit?
Yes, the rule gets hit and it returns an answer to the DNS query anyway. I saw it increment from 10 to 11 when I ran the query:
11 692 REJECT udp -- * * 10.100.1.1 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
Sean Carolan wrote:
Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show your REJECT rules being hit?
Yes, the rule gets hit and it returns an answer to the DNS query anyway. I saw it increment from 10 to 11 when I ran the query:
11 692 REJECT udp -- * * 10.100.1.1 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
I seriously doubt that the response came from this machine since the packet that hit that rule died right there. Does the machine that sent the request have a secondary DNS server configured? The REJECT response would have resulted in an immediate query to the next server.
Sean Carolan wrote:
I'm attempting to block access to port 53 from internet hosts for an internal server. This device is behind a gateway router so all traffic appears to come from source ip 10.100.1.1. Here are my (non-working) iptables rules:
If it is behind a gateway router, how is port 53 traffic getting from the internet to that DNS server in the first place.
Also ... IF you are PORT FORWARDING port 53 from the internet to the DNS server, then the SOURCE IP will not be the IP of the forwarding device, but the IP of the machine making the request.
If this device is really behind a firewall why are you even forwarding any traffic to it from port 53 in the first palce?
On Fri, Jul 11, 2008 at 7:03 PM, Johnny Hughes jhughes@hughesjr.com wrote:
Sean Carolan wrote:
I'm attempting to block access to port 53 from internet hosts for an internal server. This device is behind a gateway router so all traffic appears to come from source ip 10.100.1.1. Here are my (non-working) iptables rules:
If it is behind a gateway router, how is port 53 traffic getting from the internet to that DNS server in the first place.
Also ... IF you are PORT FORWARDING port 53 from the internet to the DNS server, then the SOURCE IP will not be the IP of the forwarding device, but the IP of the machine making the request.
If this device is really behind a firewall why are you even forwarding any traffic to it from port 53 in the first palce?
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Assuming a SOHO LinkSys firewall preferably with dd-wrt alternative firmware. Are you sure this DNS Server is not in the DMZ? Are you sure the port isn't opened under the UPnP section? It is conceivable that mDNS / AVAHI with a UPnP router automatically open this port on the firewall.
-
Johnny Hughes -
Rob Townley -
Robert Nichols -
Sean Carolan