What iptables rules to allow name service?

Beginner's question on iptables firewalls...

Can you all help me set up a proper set of iptables rules to allow name
service to run on my server?

I have:

-A INPUT -p udp --sport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --sport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --sport 1024:65535 -j ACCEPT
-A INPUT -p udp --dport 1024:65535 -j ACCEPT

FORWARD rules are set up the same as INPUT rules.

OUTPUT rules allow everything except telnet.

External hosts trying to access the name server (that is running on this
host) can't get to it. If I turn off iptables (with
/etc/rc.d/init.d/iptables stop), then name service works fine.

What am I missing?

Also, I'm wondering if I really need to open up the whole range of
1024-65535. I'm told that name service uses some random port in that
range for a "reply" port but it seems like asking a bit much to have to
open up that whole range.

Thanks...

Re: What iptables rules to allow name service?

C. J. Clegg wrote:
> Can you all help me set up a proper set of iptables rules to allow
> name service to run on my server?
>
> I have:
>
> -A INPUT -p udp --sport 53 -j ACCEPT
> -A INPUT -p udp --dport 53 -j ACCEPT
> -A INPUT -p tcp --sport 53 -j ACCEPT
> -A INPUT -p tcp --dport 53 -j ACCEPT
> -A INPUT -p udp --sport 1024:65535 -j ACCEPT
> -A INPUT -p udp --dport 1024:65535 -j ACCEPT
>
> FORWARD rules are set up the same as INPUT rules.

Ummm... why do you want to allow inbound connections to or from port 53
and any port above 1023 to your LAN? And why do you need DNS in the
FORWARD chain anyway? The clients on your LAN should use your nameserver
and your nameserver should forward these requests.

> OUTPUT rules allow everything except telnet.
>
> External hosts trying to access the name server (that is running on
> this host) can't get to it. If I turn off iptables (with
> /etc/rc.d/init.d/iptables stop), then name service works fine.
>
> What am I missing?
>
> Also, I'm wondering if I really need to open up the whole range of
> 1024-65535.

No, you don't. You need to make use of connection states.

Very incomplete snippet:

----8<----
iptables -N DNS
iptables -A DNS -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A DNS -p udp --dport 53 -m state --state NEW -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DNS # Allow inbound DNS *to* the nameserver
....

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DNS # Allow outbound DNS *from* the nameserver
....
---->8----

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: What iptables rules to allow name service?

On Fri, 03 Nov 2006 16:20:56 +0000, Ansgar -59cobalt- Wiechers wrote:

> Ummm... why do you want to allow inbound connections to or from port 53
> and any port above 1023 to your LAN?

Good morning, Ansgar.

Actually, there is no LAN... the iptables firewall on this host protects
only its host (i.e. the host is not a router).

I'm not sure if that makes any difference regarding your question. :-)

> And why do you need DNS in the
> FORWARD chain anyway?

Beats me. I guess I don't. :-)

I'm REALLY new at this firewall stuff as you can tell.

>> Also, I'm wondering if I really need to open up the whole range of
>> 1024-65535.
>
> No, you don't. You need to make use of connection states.

OK, so the fact that DNS replies on one of the ephemeral ports doesn't
require me to open up all the ephemeral ports?

(I have since discovered that the ephemeral port range on this particular
machine is a lot less than 1024-65535, something like 49152-65535 if I
recall correctly.)

I will try the snippet you provided.

Thanks... :-)

Re: What iptables rules to allow name service?

On Fri, 03 Nov 2006 16:20:56 +0000, Ansgar -59cobalt- Wiechers wrote:

> iptables -A DNS -p udp --dport 53 -m state --state NEW -j ACCEPT
> iptables -A DNS -p udp --dport 53 -m state --state NEW -j ACCEPT

These lines are both the same. Shouldn't one of them be --sport?

Re: What iptables rules to allow name service?

C. J. Clegg wrote:
> On Fri, 03 Nov 2006 16:20:56 +0000, Ansgar -59cobalt- Wiechers wrote:
>
>> iptables -A DNS -p udp --dport 53 -m state --state NEW -j ACCEPT
>> iptables -A DNS -p udp --dport 53 -m state --state NEW -j ACCEPT
>
> These lines are both the same. Shouldn't one of them be --sport?

Ah, copy/paste error on my part. The second line should read "-p tcp" of
course.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: What iptables rules to allow name service?

C. J. Clegg wrote:
> On Fri, 03 Nov 2006 16:20:56 +0000, Ansgar -59cobalt- Wiechers wrote:
>> Ummm... why do you want to allow inbound connections to or from port
>> 53 and any port above 1023 to your LAN?
>
> Actually, there is no LAN... the iptables firewall on this host
> protects only its host (i.e. the host is not a router).

Then you should DROP everything in the FORWARD chain and disable IP
forwarding.

[...]
>> And why do you need DNS in the FORWARD chain anyway?
>
> Beats me. I guess I don't. :-)

Correct.

> I'm REALLY new at this firewall stuff as you can tell.

Then I suggest you start with the HOWTOs/tutorials on [1,2].

[1] http://www.netfilter.org/
[2] http://www.frozentux.net/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: What iptables rules to allow name service?

On Fri, 03 Nov 2006 17:59:42 +0000, Ansgar -59cobalt- Wiechers wrote:

> Then you should DROP everything in the FORWARD chain and disable IP
> forwarding.

Disabling IP forwarding is done by setting /proc/sys/net/ipv4/ip_forward
to 0, right? (That is the default boot-up value anyway.)

So if I'm not doing any IP forwarding, then I don't need a FORWARD chain
at all, right?

Actually, I have some virtual hosts on that machine to serve web pages
from different domains. Do I need to FORWARD traffic to/from them? Note
that /proc/sys/net/ipv4/ip_forward has always been set to 0 yet the
virtual-host web servers all work as they should.

> [1] http://www.netfilter.org/
> [2] http://www.frozentux.net/

Thanks, I will study them.

Re: What iptables rules to allow name service?

C. J. Clegg wrote:
> On Fri, 03 Nov 2006 17:59:42 +0000, Ansgar -59cobalt- Wiechers wrote:
>> Then you should DROP everything in the FORWARD chain and disable IP
>> forwarding.
>
> Disabling IP forwarding is done by setting /proc/sys/net/ipv4/ip_forward
> to 0, right?i

Yes.

> (That is the default boot-up value anyway.)

I prefer to set it in my firewall scripts, to make it explicit.

> So if I'm not doing any IP forwarding, then I don't need a FORWARD
> chain at all, right?

Yes.

> Actually, I have some virtual hosts on that machine to serve web pages
> from different domains. Do I need to FORWARD traffic to/from them?

No.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich