[sclug] iptables

Tom Dawes-Gamble tmdg at tmdg.co.uk
Tue Aug 10 21:12:38 UTC 2004 

On Sat, 2004-08-07 at 13:30, Matt wrote:
> On Sat, 2004-08-07 at 13:42, Tom Dawes-Gamble wrote:
> > Okay you iptables gurus.  
> > 
> > I'm having problems configuring iptables on my name server.
> > 
> > Want I really want to do is as follows.
> > 
> > dns.tmdg.co.uk updates the two real name servers for the domain
> > 	ns1.dns.houxou.com and ns2.dns.houxou.com.
> > dns.tmdg.co.uk will answer requests from rg.tmdg.co.uk.
> > dns.tmdg.co.uk will answer requests from sn.tmdg.co.uk.
> 
> By 'updates', do you mean ns[12].dns.houxou.com perform zone transfers
> against you?
> 

If you do a whois on say sclug.org.uk it tells you ns[12].dns.houxou.com
are the name servers.  I actually maintain the DNS for it on
dns.tmdg.co.uk  so each time I update the DNS for sclug.org.uk.   I'm
using bind 9 and so that I can use views. So by pointing my firewall at
dns.tmdg.co.uk I get a different view of the dns.  So if you lookup
mitchell.tmdg.co.uk you see it as a CNAME of rg.tmdg.co.uk.  However, If
I lookup mitchell.tmdg.co.uk on my workstation I get a 192.168.X.X
address in my private network.
Similar things happen in my other private network in Swindon.

So I really want to configure dns.tmdg.co.uk so that the only DNS
traffic it allows are the updates I make to be able to get to
dns[12].dns.houxou.com and the two firewalls rg.tmdg.co.uk and
sn.tmdg.co.uk.

> Hmm, that probably doesn't help ;-) I can see this My-Input chain is
> referenced by two other chains, but I can't see if there's a more
> restrictive rule beforehand that might be blocking the traffic,

OK this time I've done the full list as you requested. I also used the
Red Hat firewall configuration utility lokkit to build the rules.  

# iptables -v --list
Chain INPUT (policy ACCEPT 197 packets, 39081 bytes)
 pkts bytes target     prot opt in     out     source                  
destination 
 428 64398 RH-Lokkit-0-50-INPUT  all  --  any    any    
anywhere         anywhere
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination                                                                                 
    0     0 RH-Lokkit-0-50-INPUT  all  --  any    any    
anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT 362 packets, 89688 bytes)
 pkts bytes target     prot opt in     out     source              
destination                                                                                 
 
Chain RH-Lokkit-0-50-INPUT (2 references)
 pkts bytes target     prot opt in     out     source              
destination                                                                                 
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere        tcp dpt:https flags:SYN,RST,ACK/SYN
  109  7400 ACCEPT     udp  --  any    any     anywhere            
anywhere        udp dpt:domain
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere        tcp dpt:domain flags:SYN,RST,ACK/SYN
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere        tcp dpt:ssh flags:SYN,RST,ACK/SYN
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere        tcp dpt:smtp flags:SYN,RST,ACK/SYN
    9   432 ACCEPT     tcp  --  any    any     anywhere            
anywhere        tcp dpt:http flags:SYN,RST,ACK/SYN
    8   600 ACCEPT     all  --  lo     any     anywhere            
anywhere                                                                                 
    0     0 ACCEPT     udp  --  any    any     l-oeuf.tmdg.co.uk   
anywhere        udp spt:domain
    4   244 ACCEPT     udp  --  any    any     ns1.dns.houxou.com  
anywhere        udp spt:domain
    4   244 ACCEPT     udp  --  any    any     ns2.dns.houxou.com  
anywhere        udp spt:domain
    0     0 REJECT     tcp  --  any    any     anywhere            
anywhere        tcp flags:SYN,RST,ACK/SYN reject-with
icmp-port-unreachable
   97 16397 REJECT     udp  --  any    any     anywhere            
anywhere        udp reject-with icmp-port-unreachable
[root at l-oeuf root]# iptables -v --list | more
Chain INPUT (policy ACCEPT 323 packets, 73339 bytes)
 pkts bytes target     prot opt in     out     source              
destination
         
  636  109K RH-Lokkit-0-50-INPUT  all  --  any    any    
anywhere             anywhere
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
         
    0     0 RH-Lokkit-0-50-INPUT  all  --  any    any    
anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT 582 packets, 176K bytes)
 pkts bytes target     prot opt in     out     source              
destination
         
 
Chain RH-Lokkit-0-50-INPUT (2 references)
 pkts bytes target     prot opt in     out     source              
destination
         
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere
       tcp dpt:https flags:SYN,RST,ACK/SYN
  144  9814 ACCEPT     udp  --  any    any     anywhere            
anywhere

Unfortunately I can't leave the iptable in place too long as it screws
things up for the internal networks.

Regards,
Tom.
-- 
main(int c,char **v){long x;while(--c){sscanf(*++v,"%li",&x);
printf("Decimal = %ld\nHex = 0x%lx\nOctal = 0%lo\n",x,x,x);}}  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.tmdg.co.uk/pipermail/sclug/attachments/20040810/96b0f25d/attachment.bin

More information about the Sclug mailing list