ipchains blocking DNS...help [Archive]

gjansky

12-05-2000, 11:27 PM

I went to linux-firewall-tools.com and built myself a firewall. I then followed the directions to install it. Now, when one of my client (lan) machines tries to view an external web page, it hangs, trying to connect. I have found REJECT messages in my /var/log/messages file that seem to indicate I'm blocking my own attempts to reach the dns server provide by my ISP.

Dec 5 16:03:34 umcredbank kernel: Packet log: output REJECT eth1 PROTO=17 XX.XX.XXX.XXX:61000 YYY.YYY.Y.Y:53 L=59 S=0x00 I=25088 F=0x0000 T=31
Dec 5 16:03:39 umcredbank kernel: Packet log: output REJECT eth1 PROTO=17 XX.XX.XXX.XXX:61000 YYY.YYY.Y.Y:53 L=59 S=0x00 I=27904 F=0x0000 T=31

Where XXX = my static IP and
YYY = my ISP's nameserver.

My firewall rules look like:

# Remove all existing rules belonging to this filter
ipchains -F

# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

# set masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000 0 0
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ

# DNS server (53)
# ---------------

# DNS forward-only nameserver
# ---------------------------

# forward-only can use regular TCP protocol to forwarders

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $NAMESERVER_2 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

I'm probably just missing something here.
Thanks in advance for any suggestions.

Greg

Fandelem

12-06-2000, 04:15 PM

Yep.

As far as I can tell

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT

notice on tcp you have it accepting from $IPADDR $UNPRIVPORTS but on UDP you only have it accepting from the IP address - you should go back and change on all -p udp to say -s $IP ADDR $UNPRIVPORTS (because the packet log that you showed is basically denying output on UDP because of this.. i believe.. your news rules would look something like:

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

and I think you might be okay.. if not, we'll try something else :}

regards,

~kyle