Firewall questions I promised you.
Bruce McDonald
brucemcdonal at mindspring.com
Wed Jun 2 07:05:30 UTC 2004
Hello Rick
On 01-Jun-04, you wrote:
> Bruce McDonald wrote:
>> Hello all,
>> I have written my firewall rules using the examples in Linux Firewall
>> Second Edition by Robert Zeigler. Now, when I run the script I get a
>> couple of errors.
>> One is:
>> Bad argument `22'
>> Try `iptables -h' or 'iptables --help' for more information.
>> This shows up after lines like:
>> if [ "$CONNECTION_TRACKING" = "1" ]; then
>> iptables -A local-tcp-client-request -p tcp \
>> -d $SSH_CLIENT --dport 22 \
>> --syn -m state --state NEW \
>> -j ACCEPT
>> fi
>> iptables -A local-tcp-client-request -p tcp \
>> -d $SSH_CLIENT --dport 22 \
>> -j ACCEPT
>> and:
>> if [ "$CONNECTION_TRACKING" = "1" ]; then
>> iptables -A remote-tcp-client-request -p tcp \
>> -s $SSH_CLIENT --destination-port 22 \
>> -m state --state NEW \
>> -j ACCEPT
>> fi
>> iptables -A remote-tcp-client-request -p tcp \
>> -s $SSH_CLIENT --destination-port 22 \
>> -j ACCEPT
>> I played with the order of the items on the line and did manage to get
>> rid of Bad argument 22 by moving the (in the trial case I used a
>> destination port line) --dport22 ahead of the destination itself. This
>> did generate a different complaint, which I have forgotten in the
>> intervening time.
> The problem is that some versions of iptables will not accept "--dport"
> options. It's a bug, but there it is. Make sure you have the latest
> version of iptables installed.
>>
>> So, is there an error in the order of the layout of the iptables lines I
>> have listed above?
> No. It's a bug in some versions of iptables.
>> My next error is:
>> iptables v1.2.7a: host/network `yahoo.com' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>>
>> I assume this means the firewall is halting packets to or from my DNS
>> server.
> Yup.
>> I still have to check a little further into this, I do have rules that
>> are supposed to allow the traffic. I will post them for your input once I
>> figure that I don't see anything at all wrong with them.
> It rather depends on how strict you want your firewall to be regarding
> DNS. Without seeing the entire iptables setup, I can't comment on what
> you want to do. However, somewhere near the top of your list you should
> have something along the lines of:
> iptables -A INPUT -p udp -port 53 -j ACCEPT
> This would accept all UDP DNS traffic (remember, 99% of DNS traffic is
> UDP, not TCP).
The rules for DNS are near the start of the chains after a couple of bogus
packet checks. They are before any rules that require a lookup as far as I
can tell. Here are the DNS rules:
###############################################################
# DNS Caching Name Server (query to remote, primary server)
iptables -A EXT-output -p udp --sport 53 --dport 53 \
-j local-dns-server-query
iptables -A EXT-input -p udp --sport 53 --dport 53 \
-j remote-dns-server-response
# DNS Caching Name Server (query to remote server over TCP)
iptables -A EXT-output -p tcp \
--sport $UNPRIVPORTS --dport 53 \
-j local-dns-server-query
iptables -A EXT-input -p tcp ! --syn \
--sport 53 --dport $UNPRIVPORTS \
-j remote-dns-server-response
###############################################################
# DNS Fowarding Name Server or client requests
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A local-dns-server-query \
-d $NAMESERVER_1 \
-m state --state NEW -j ACCEPT
iptables -A local-dns-server-query \
-d $NAMESERVER_2 \
-m state --state NEW -j ACCEPT
iptables -A local-dns-server-query \
-d $NAMESERVER_3 \
-m state --state NEW -j ACCEPT
iptables -A local-dns-server-query \
-d $NAMESERVER_4 \
-m state --state NEW -j ACCEPT
fi
iptables -A local-dns-server-query \
-d $NAMESERVER_1 -j ACCEPT
iptables -A local-dns-server-query \
-d $NAMESERVER_2 -j ACCEPT
iptables -A local-dns-server-query \
-d $NAMESERVER_3 -j ACCEPT
iptables -A local-dns-server-query \
-d $NAMESERVER_4 -j ACCEPT
# DNS server responses to local requests
iptables -A remote-dns-server-response \
-s $NAMESERVER_1 -j ACCEPT
iptables -A remote-dns-server-response \
-s $NAMESERVER_2 -j ACCEPT
iptables -A remote-dns-server-response \
-s $NAMESERVER_3 -j ACCEPT
iptables -A remote-dns-server-response \
-s $NAMESERVER_4 -j ACCEPT
If you want to see the full ruleset from the book that I modified to fit my
environment, it can be found at
http://www.linux-firewall-tools.com/ftp/firewall/optimized.firewall.2
Regards,
Bruce McDonald
More information about the Redhat-install-list
mailing list