#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13

    dns problem due to firewall?


    Here's my firewall:

    #!/bin/bash


    # Configuration
    MODPROBE="/sbin/modprobe"
    IPTABLES="/sbin/iptables"

    echo "Loading Modules"
    # Load Modules
    $MODPROBE ip_tables
    $MODPROBE iptable_filter
    $MODPROBE probe iptable_nat
    $MODPROBE ip_conntrack
    $MODPROBE ip_conntrack_ftp
    $MODPROBE ip_conntrack_irc
    $MODPROBE ip_nat_ftp
    $MODPROBE ip_nat_irc

    echo "Flushing Trash Rules"
    # Flush Old Rules
    $IPTABLES -F INPUT
    $IPTABLES -F OUTPUT
    $IPTABLES -F FORWARD
    $IPTABLES -F -t nat

    echo "Enforcing Lock Down!"
    # Enable forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Let people come on ssh and http ... and now SMTP!.
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
    $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT


    # Generic input rules.
    $IPTABLES -A INPUT -s 127.0.0.1/32 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -m state --state NEW,INVALID -j DROP

    # Not on my computer!

    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j DROP
    $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 23 -j DROP

    # Generic output rules
    $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state INVALID -j DROP


    # Generic forwarding rules.
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -m state --state NEW,INVALID -j DROP


    echo "Initialized FireWall..."

    The problem is when-ever the script is run it does is job, but dns eventually stops working? Should something be forwarded that's not, maybe like this?:

    #Accept DNS, 'cause it's warm and friendly
    $IPT -A INPUT -p udp --source-port 53 -j ACCEPT
    $IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
    $IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT

    I've never thought of a reason to open up 113?
    sreese@prcdigital.com
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    113 is ident and not dns as you can read in your /etc/services.

    dns server needs tcp and udp port 53 to work correctly. with using the first line, it should work.
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13
    Ok thanks,

    That's what i thought, i had looked it up but still had to ask. Do you have any comments that would allow those services to run, but provide a more secure system?
    sreese@prcdigital.com
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    donīt run identd at all. never run bind as root. and "chroot" it. i canīt tell you how though...
    apply all updates from your manufacturer and get on a security mailing list so you are alerted when new updates are available.

    ...
    greetings,
    M

IMN logo majestic logo threadwatch logo seochat tools logo