Linode Forum :: iptables Blocking DNS

Linode Forum https://forum.linode.com/

iptables Blocking DNS https://forum.linode.com/viewtopic.php?f=19&t=9728	Page 1 of 1

Author:	pmp6nl [ Mon Jan 21, 2013 12:33 am ]
Post subject:	iptables Blocking DNS
Hello, I noted in my log that iptables is blocking DNS, including from resolver2.dallas.linode.com. This seems odd to me, but I must have gotten it from tutorial on here. The server has been running for 8 months with no noticable issues. Does anyone else have their iptables setup like this? What are the pros and cons of this setup? Thank you so much. Code: kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91:ae:bd:2b:c8:4c:75:f5:c4:ff:08:00 SRC=72.14.188.5 DST=96.126.122.2xx LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=7355 PROTO=UDP SPT=53 DPT=57572 LEN=52

Author:	sednet [ Mon Jan 21, 2013 3:54 pm ]
Post subject:	Re: iptables Blocking DNS
So this is a reply from resolver2.dallas.linode.com for your DNS query? Does DNS actually work on your linode? Assuming you have a rule something like: iptables -A OUTPUT -s 96.126.122.2xx/32 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT The reply should have been accepted by a rule like: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT But it wasn't. Show us your iptables rules.

Author:

pmp6nl [ Tue Jan 22, 2013 10:47 pm ]

Post subject:

Re: iptables Blocking DNS

Hello,

Thanks for the info and for looking. DNS seems to be working, I am running some sites without problems. My iptables are below.

Thanks!

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10000
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DROP       all  --  200.159.40.31        anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain fail2ban-ssh (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere

Author:	sednet [ Thu Jan 24, 2013 5:09 pm ]
Post subject:	Re: iptables Blocking DNS
iptables without -v doesn't even tell you what interfaces the rules apply to. Try 'iptables -L -n -v'.

Author:

pmp6nl [ Sun Jan 27, 2013 10:48 pm ]

Post subject:

Re: iptables Blocking DNS

Oh ok, here ya go:

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
5745K 1457M fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
5735K 1457M fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
  12M 3309M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  !lo    *       0.0.0.0/0            127.0.0.0/8          reject-with icmp-port-unreachable
  17M 3491M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
1063K   60M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  400 20796 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
51774 3073K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
  571 35242 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 3226  189K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10000
40472 2937K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
45660 3421K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 DROP       all  --  *      *       200.159.40.31        0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  26M   20G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  11M 2913M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Thanks.

Author:	sednet [ Wed Jan 30, 2013 6:15 am ]
Post subject:	Re: iptables Blocking DNS
Don't you need to explicitly establish state on the outbound connections before you can catch the return traffic with state ESTABLISHED? I'd use the following as the OUTPUT rule: iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT But this accepts all outgoing traffic which is bad practice on a secure system. The right ( i.e. paranoid ) way to do it is to block everything then explicitly allow legitimate traffic as specifically as possible. I don't think you should be blocking incoming ICMP the way you are. There are other useful things that are sent with ICMP other than ping. Personally I would not use fail2ban as I don't think that it adds security to SSH and won't help much if you do something really dumb like use dictionary word passwords in any case. This has been discussed before on here and others disagree with me.

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/