IP Tables DNS issues

hey there,

I'm having problem with my IP tables allowing DNS queries,

here is my F/w Script

----start scriot ------ #!/bin/sh

LAN="eth1" INTERNET="eth0" IPTABLES="/sbin/iptables"

# Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains $IPTABLES --flush

# Allow unlimited traffic on the loopback interface $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies #$IPTABLES --policy INPUT DROP #$IPTABLES --policy OUTPUT DROP #$IPTABLES --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state

--state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state

--state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state

--state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state

--state NEW -j ACCEPT

# Allow ntp synchronization $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state

--state NEW -j ACCEPT

# Allow Squid to proxy http, https $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state

--state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state

--state NEW -j ACCEPT ---end script---

my squid wont work , nor does browsing from the local f/w box.

It does work if i change default policy to DENY ?

any idea's i'm running on RH9.0

thanx

Reply to
Vampyre
Loading thread data ...

I'm not surprised. Where did you come up with this script, or is it do-it-yourself? You'd probably benefit from reading Rusty's two HOWTOs, and similar docs, like

287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

I prefer to ignore all pings. What-ever

OK

Expecting the world to attack your systems?

Why bother?

OK

There is significant discussion of the merits of DROP (ignore) verses DENY (send RESET or ICMP Type 3). Briefly, with DROP, the remote will try three times because it thinks that the packets got lost enroute, while a DENY tells the remote to FOAD. The DENY will _usually_ result in less traffic. The exception is UDP (generally to ports 1025-1035 or so) used for windoze messenger spam. This is often using false source addresses, and an ICMP error is a waste of time.

OK, but that only applies to TCP.

As above. Ping _was_ a useful service in the 1980s.

You might want to figure how you get 'state NEW' on a UDP packet. TCP is only used when your name server returns a response with the 'TC' flag in the DNS message (TrunCation to a maximum total of 512 octets).

As above ('state NEW').

What are the exact error messages?

As noted above, the difference between DROP and DENY is that you tell unwanted packets to f*ck off. I don't know why this should make a difference, but the way to find out is to run 'tcpdump -n' and look at the packets (the -n to avoid contaminating the data with useless name lookups).

RH9 was end-of-life in April 2004. There is limited (back-ported) errata at download.fedoralegacy.org, but I'd recommend replacing that with something more modern (Fedora Core 4 is current, FC5 is in beta - should be out in 6-8 weeks).

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.