Firewall questions I promised you.

Bruce McDonald brucemcdonal at mindspring.com
Wed Jun 2 07:05:30 UTC 2004 

Hello Rick

On 01-Jun-04, you wrote:

> Bruce McDonald wrote:
>> Hello all,

>> I have written my firewall rules using the examples in Linux Firewall
>> Second Edition by Robert Zeigler. Now, when I run the script I get a
>> couple of errors.

>> One is:
>> Bad argument `22'
>> Try `iptables -h' or 'iptables --help' for more information.

>> This shows up after lines like:
>> if [ "$CONNECTION_TRACKING" = "1" ]; then
>>    iptables -A local-tcp-client-request -p tcp \
>>             -d $SSH_CLIENT --dport 22 \
>>             --syn -m state --state NEW \
>>             -j ACCEPT
>> fi

>> iptables -A local-tcp-client-request -p tcp \
>>         -d $SSH_CLIENT --dport 22 \
>>         -j ACCEPT

>> and:
>> if [ "$CONNECTION_TRACKING" = "1" ]; then
>>    iptables -A remote-tcp-client-request -p tcp \
>>             -s $SSH_CLIENT --destination-port 22 \
>>             -m state --state NEW \
>>             -j ACCEPT
>> fi


>> iptables -A remote-tcp-client-request -p tcp \
>>         -s $SSH_CLIENT --destination-port 22 \
>>         -j ACCEPT


>> I played with the order of the items on the line and did manage to get
>> rid of Bad argument 22 by moving the (in the trial case I used a
>> destination port line) --dport22 ahead of the destination itself. This
>> did generate a different complaint, which I have forgotten in the
>> intervening time.

> The problem is that some versions of iptables will not accept "--dport"
> options.  It's a bug, but there it is.  Make sure you have the latest
> version of iptables installed.

>> 
>> So, is there an error in the order of the layout of the iptables lines I
>> have listed above?

> No.  It's a bug in some versions of iptables.

>> My next error is:
>> iptables v1.2.7a: host/network `yahoo.com' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> 
>> I assume this means the firewall is halting packets to or from my DNS
>> server.  

> Yup.

>> I still have to check a little further into this, I do have rules that
>> are supposed to allow the traffic. I will post them for your input once I
>> figure that I don't see anything at all wrong with them.

> It rather depends on how strict you want your firewall to be regarding
> DNS.  Without seeing the entire iptables setup, I can't comment on what
> you want to do.  However, somewhere near the top of your list you should
> have something along the lines of:

>     iptables -A INPUT -p udp -port 53 -j ACCEPT

> This would accept all UDP DNS traffic (remember, 99% of DNS traffic is
> UDP, not TCP).

The rules for DNS are near the start of the chains after a couple of bogus
packet checks.  They are before any rules that require a lookup as far as I
can tell.  Here are the DNS rules:
###############################################################
# DNS Caching Name Server (query to remote, primary server)

iptables -A EXT-output -p udp --sport 53 --dport 53 \
         -j local-dns-server-query

iptables -A EXT-input -p udp --sport 53 --dport 53 \
         -j remote-dns-server-response

# DNS Caching Name Server (query to remote server over TCP)

iptables -A EXT-output -p tcp \
         --sport $UNPRIVPORTS --dport 53 \
         -j local-dns-server-query

iptables -A EXT-input -p tcp ! --syn \
         --sport 53 --dport $UNPRIVPORTS \
         -j remote-dns-server-response

###############################################################
# DNS Fowarding Name Server or client requests

if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A local-dns-server-query \
             -d $NAMESERVER_1 \
             -m state --state NEW -j ACCEPT

    iptables -A local-dns-server-query \
             -d $NAMESERVER_2 \
             -m state --state NEW -j ACCEPT

    iptables -A local-dns-server-query \
             -d $NAMESERVER_3 \
             -m state --state NEW -j ACCEPT

    iptables -A local-dns-server-query \
             -d $NAMESERVER_4 \
             -m state --state NEW -j ACCEPT
fi

iptables -A local-dns-server-query \
         -d $NAMESERVER_1 -j ACCEPT

iptables -A local-dns-server-query \
         -d $NAMESERVER_2 -j ACCEPT

iptables -A local-dns-server-query \
         -d $NAMESERVER_3 -j ACCEPT

iptables -A local-dns-server-query \
         -d $NAMESERVER_4 -j ACCEPT

# DNS server responses to local requests

iptables -A remote-dns-server-response \
         -s $NAMESERVER_1 -j ACCEPT

iptables -A remote-dns-server-response \
         -s $NAMESERVER_2 -j ACCEPT

iptables -A remote-dns-server-response \
         -s $NAMESERVER_3 -j ACCEPT

iptables -A remote-dns-server-response \
         -s $NAMESERVER_4 -j ACCEPT


If you want to see the full ruleset from the book that I modified to fit my
environment, it can be found at  
http://www.linux-firewall-tools.com/ftp/firewall/optimized.firewall.2


Regards,
Bruce McDonald

More information about the Redhat-install-list mailing list