Gentoo Forums :: View topic - DNS Ports to Allow?

DNS Ports to Allow?

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

Kenji Miyamoto
Veteran
Veteran

Joined: 28 May 2005
Posts: 1452
Location: Looking over your shoulder.

Posted: Sat Jan 13, 2007 7:46 am Post subject: DNS Ports to Allow?

I'm setting up a firewall on a laptop; which ports should I open for DNS? I've tried both TCP and UDP port 53 for input and output, but that doesn't cut it.

These are all of the rules I've tried specifically for DNS:

Code:

-A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --sport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --sport 53 -j ACCEPT

-A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 1024:65535 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 1024:65535 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW --dport 1024:65535 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW --sport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --sport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --dport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --sport 1024:65535 -j ACCEPT

_________________
[ Kawa-kun, new and improved!! ]

Alex Libman seems to be more of an anarchist than a libertarian.

bunder
Bodhisattva

Joined: 10 Apr 2004
Posts: 5947

Posted: Sat Jan 13, 2007 10:30 am Post subject:

UDP isn't necessary, but here's what you want.

any address, any source port, source interface external

TO

dns server ip, destination port 53

so....

iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m state --state NEW --dport 53 -j ACCEPT

cheers
_________________

Neddyseagoon wrote:

The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017

Kenji Miyamoto
Veteran
Veteran

Joined: 28 May 2005
Posts: 1452
Location: Looking over your shoulder.

Posted: Sat Jan 13, 2007 8:13 pm Post subject:

That's what I thought, but it doesn't work:

Code:

$ grep -i " 53 " /etc/iptables.bak
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --dport 53 -j ACCEPT

Code:

# nslookup bob.neilnet
;; connection timed out; no servers could be reached

Wouldn't I have to open some outgoing ports, too?

In fact, I can't even get an HTTP connection on port 80:

Code:

# wget http://192.168.0.1
--12:15:00-- http://192.168.0.1/
=> `index.html'
Connecting to 192.168.0.1:80...

Code:

*raw
:PREROUTING ACCEPT [836:729609]
:OUTPUT ACCEPT [855:75020]
COMMIT
*mangle
:PREROUTING ACCEPT [836:729609]
:INPUT ACCEPT [834:728953]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [855:75020]
:POSTROUTING ACCEPT [855:75020]
COMMIT
*filter
:INPUT ACCEPT [834:728953]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [855:75020]
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 515 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 631 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 515 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 631 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 5132 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 8001 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 5921 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 5132 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 8001 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 5921 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A INPUT -i eth0 -j DROP
COMMIT

_________________
[ Kawa-kun, new and improved!! ]

Alex Libman seems to be more of an anarchist than a libertarian.

erik258
Advocate

Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA

Posted: Sun Jan 14, 2007 4:28 pm Post subject:

Kenji Miyamoto wrote:

it doesn't work:

Code:

-A INPUT -i eth0 -p tcp -m state --state NEW --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --dport 53 -j ACCEPT

Wouldn't I have to open some outgoing ports, too?

Usually the server uses a given port, one associated with the requested service (53 in the case of DNS) and then the client uses a random port. The client doesn't necessarily use the same port as the server -- in fact, the client will almost certainly use a port well above 1024, outside the range of 'privileged ports'. You have this rule in your INPUT chain, however, so it's only applied to packets coming in to your computer on port 53. You want packets going out from your computer to port 53 on the server.

At this point i'd like to ask you a qestion: why on earth would you want to block any outgoing ports on your own laptop? Usually a firewall on a PC blocks incoming ports -- you know, the ones that go into your computer -- not the ones coming out of your computer. Are you sure you know what you're doing here?

Blocking source ports denies people behind your firewall access to the services on those ports. That is a good idea in some cases (schools probably don't need bittorrent ports open, for example) but a bad idea for your laptop, if you intend to use those ports.

What you probably want is to block destination ports on your box, only accepting traffic over already established connections and on any ports you're actually running a server on.

Kenji Miyamoto wrote:

Code:

-A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 1024:65535 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW --sport 1024:65535 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW --dport 1024:65535 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW --sport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --sport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --dport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW --sport 1024:65535 -j ACCEPT

IMHO, this is a poor security setup here. I assume you closed off all ports below 1024 by default, which makes sense. however, you open all ports to new traffic above 1024. Why would you want to do a thing like that? OF course, this isn't a big security problem, probably not a problem at all really, because nothing's gonna be running on the laptop, listening to those ports, so it still doesn't necessarily expose vulnerabilities. But, if you used a stateful firewall, you could block all traffic that wasn't related to an existing connection, initiated by you, or coming in on a port you specifically opened.

Kenji Miyamoto wrote:

Code:

this is a little messy. Maybe you should start simple.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!

Neon Dude
n00b
n00b

Joined: 13 Jun 2004
Posts: 15
Location: London

Posted: Mon Jan 15, 2007 12:45 pm Post subject:

bunder wrote:

UDP isn't necessary, but here's what you want.

Actually it is, DNS queries are made over UDP. TCP/53 is used for zone transfers between servers.

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy