Up zone resolving for DNS through IPTABLES security

Really would appreciate help here!

Have a dual hosted machine - eth0 to Internet, eth1 to Lan, running
IPTABLES to provide a firewall, OS is Red Hat Linux 8, BIND 9.2.1.

I have created a DNS server on this machine which works fine on the
local zone information and for dynamic dns with DHCP. This all works
fine.

The problem however is that I cannot reach name servers for the remote
zone with LOKKIT running on high security - a copy of the IPTABLEs
used is below. *** If LOKKIT is not running then it works fine ****.
The two IP addresses are my service providers DNS that I am currently
having to use to get connectivity.

I found out that BIND after version 8 uses high ports for Resolvers,
so as recommended I added an option line to /etc/named.conf to get DNS
to use port 53.

options { query-source address * port 53; }

Then I used various IPTABLE commands for --dport 53 and --sport 53 but
to no avail.

What do I need to issue in the way of IPTABLE commands to make this
work.

I have extended beyond my knowledge and despite days of trawelling
user groups; reading manuals and postings; and trial and error I am
still no further. I would be very grateful for assistance.


Output from iptables-save

*nat
:PREROUTING ACCEPT [12:744]
:POSTROUTING ACCEPT [18:1392]
:OUTPUT ACCEPT [15:1272]
[2:108] -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.2 !
Obviscated!
COMMIT

*filter
:INPUT ACCEPT [5:364]
:FORWARD ACCEPT [6:1629]
:OUTPUT ACCEPT [66:6945]
:RH-Lokkit-0-50-INPUT - [0:0]
[47:5158] -A INPUT -j RH-Lokkit-0-50-INPUT
[26:3197] -A FORWARD -j RH-Lokkit-0-50-INPUT
[1:48] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
[1:60] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
[0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
[0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
[3:241] -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
[23:1899] -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
[0:0] -A RH-Lokkit-0-50-INPUT -s 127.0.0.1 -p udp -m udp --sport 53 -j
ACCEPT
[1:290] -A RH-Lokkit-0-50-INPUT -s 212.158.192.2 -p udp -m udp --sport
53 -j ACCEPT
[1:212] -A RH-Lokkit-0-50-INPUT -s 212.158.192.3 -p udp -m udp --sport
53 -j ACCEPT
[0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK
SYN -j REJECT --reject-with icmp-port-unreachable
[32:3612] -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
--reject-with icmp-port-unreachable
COMMIT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter S wrote:
| Really would appreciate help here!
|
| Have a dual hosted machine - eth0 to Internet, eth1 to Lan, running
| IPTABLES to provide a firewall, OS is Red Hat Linux 8, BIND 9.2.1.
|
| I have created a DNS server on this machine which works fine on the
| local zone information and for dynamic dns with DHCP. This all works
| fine.
|
| The problem however is that I cannot reach name servers for the remote
| zone with LOKKIT running on high security - a copy of the IPTABLEs
| used is below. *** If LOKKIT is not running then it works fine ****.
| The two IP addresses are my service providers DNS that I am currently
| having to use to get connectivity.
|
| I found out that BIND after version 8 uses high ports for Resolvers,
| so as recommended I added an option line to /etc/named.conf to get DNS
| to use port 53.
|
| options { query-source address * port 53; }
|
| Then I used various IPTABLE commands for --dport 53 and --sport 53 but
| to no avail.
|
| What do I need to issue in the way of IPTABLE commands to make this
| work.
|
| I have extended beyond my knowledge and despite days of trawelling
| user groups; reading manuals and postings; and trial and error I am
| still no further. I would be very grateful for assistance.
|
|
| Output from iptables-save
|
| *nat
| :PREROUTING ACCEPT [12:744]
| :POSTROUTING ACCEPT [18:1392]
| :OUTPUT ACCEPT [15:1272]
| [2:108] -A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.2 !
| Obviscated!
| COMMIT
|
| *filter
| :INPUT ACCEPT [5:364]
| :FORWARD ACCEPT [6:1629]
| :OUTPUT ACCEPT [66:6945]
| :RH-Lokkit-0-50-INPUT - [0:0]
| [47:5158] -A INPUT -j RH-Lokkit-0-50-INPUT
| [26:3197] -A FORWARD -j RH-Lokkit-0-50-INPUT
| [1:48] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags
| SYN,RST,ACK SYN -j ACCEPT
| [1:60] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --tcp-flags
| SYN,RST,ACK SYN -j ACCEPT
| [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags
| SYN,RST,ACK SYN -j ACCEPT
| [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --tcp-flags
| SYN,RST,ACK SYN -j ACCEPT
| [3:241] -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
| [23:1899] -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
| [0:0] -A RH-Lokkit-0-50-INPUT -s 127.0.0.1 -p udp -m udp --sport 53 -j
| ACCEPT
| [1:290] -A RH-Lokkit-0-50-INPUT -s 212.158.192.2 -p udp -m udp --sport
| 53 -j ACCEPT
| [1:212] -A RH-Lokkit-0-50-INPUT -s 212.158.192.3 -p udp -m udp --sport
| 53 -j ACCEPT
| [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK
| SYN -j REJECT --reject-with icmp-port-unreachable
| [32:3612] -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
| --reject-with icmp-port-unreachable
| COMMIT

As far as I can see from your configuration, this has less to do with
iptables/lokkit than with your dns-configuration. It seems your bind has no
forwarders configured. In this case, it will first connect to the root
dns-servers, then to the dns of the tld, and so on. This can obviously not
work, if access to these servers is blocked by your iptables-configuration.

There are two ways to work around it:
1. Issue the following command to iptables:
#> iptables -t filter -I RH-Lokkit-0-50-INPUT 10 -p udp \
~ -m udp --sport 53 -j ACCEPT
This will allow access to all dns-servers worldwide, but is maybe a security
hole.

2. Alter your bind-configuration: Add these lines to the "options"-part of
your /etc/named.conf:
~ forward first;
~ forwarders { 212.158.192.2; 212.158.192.3; };
Thus the beginning of /etc/named.conf should look like this:

options {
~ forward first;
~ forwarders { 212.158.192.2; 212.158.192.3; };
~ query-source address * port 53;
~ // To keep the internet from querying your server:
~ allow-query { [your LANs base-IP]/24; 127.0.0.1; };
~ allow-recursion { [your LANs base-IP]/24; 127.0.0.1; };
};

This will force bind to ask your providers nameservers in case the local
cache or zones don't have the requested information. Only if this fails,
bind will try to connect to the dns root servers, which will fail and result
in an unanswered question. This way is more secure, but has also a caveat:
If your provider should change its nameservers, lokkit will know, because it
is updated by the dialin-scripts. But you will have to reconfigure bind.
Happily this doesn't happen very often.

I recommend reading the DNS-HowTo at 'http://www.tldp.org/HOWTO/DNS-HOWTO.html'.

Greetings,
Felix
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBLxs3DH+mFzdSOa0RArsgAJ0UbK5bszGzRmbaYB5o37 4HnsgDggCeIBkz
Np81V4Rnil3mGC07UFcYOtA=
=mwbz
-----END PGP SIGNATURE-----

peter.shearan@virgin.net (Peter S) writes:

> Really would appreciate help here!
>
> Have a dual hosted machine - eth0 to Internet, eth1 to Lan, running
> IPTABLES to provide a firewall, OS is Red Hat Linux 8, BIND 9.2.1.

Congratulations on being out of date...

[snip]
> I found out that BIND after version 8 uses high ports for Resolvers,
> so as recommended I added an option line to /etc/named.conf to get DNS
> to use port 53.
>
> options { query-source address * port 53; }

Arrrrrgh! This went out in the mesolithic era! DNS does not "use" port 53,
that is its well-known service port. DNS packets are from any source-port
to destination-port 53, either UDP (queries up to a given size) or TCP
(zone-xfers and queries with a large result-set, which only occurs very
rarely). Setting the source-port down to 53 as well as the destination is
an excuse to use a very lazy and insecure firewall rule later, "I'm running
a nameserver, accept crap on port 53 whether I asked for it or not".

You can and therefore should distinguish between client and server cases,
quite easily:

a) DNS client: you're emitting packets from any high source-port to port
53, responses will flow backwards from 53/udp up to a high port. If you use
stateful matching in iptables (`-m state --state ESTABLISHED,RELATED'),
this will be taken care of just like any other request/answer packet-set,
using a tuple with at least (myip, theirip, sport, dport, proto,
timeout_interval) elements (more for tcp) to tighten-down what constitutes
a response.

b) DNS server: you're accepting packets to 53/udp from everyone allowed to
query against your server, and to 53/tcp from listed secondary nameservers
only. You can safely ignore the large-query-result case unless you know of
a zone with such a problem that you'll be handling frequently; I've seen
that once in over 4 years.

Scrap this "Lokkit" crap (which I reviewed here some years ago when it
first came out), write your own proper stateful firewall instead, that
actually does what you want (or should want :) . If you really want a
starter script, mine is to be found at
<http://spodzone.org.uk/packages/secure/iptables.sh>. HTH.

~Tim
--
13:23:57 up 9 days, 20:58, 7 users, load average: 0.12, 0.08, 0.03
piglet@stirfried.vegetable.org.uk |Die dulci fruere
http://spodzone.org.uk/cesspit/ |