Results 1 to 4 of 4

Thread: Server resolution in iptables script?

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551

    Server resolution in iptables script?

    A while back, I implemented egress filtering at my gateway box to tighten things up a bit. I only allowed outbound traffic on specific ports (e.g., 80, 443, 110, 25, etc...) Now I want to take it a step further and restrict traffic on ports 25 and 119 to my ISP's mail and news servers only. The problem is that when I try to define the servers in my script, the names won't resolve and the script chokes. Of course, I could just put the IP addresses and be done with it, but my ISP switches around its servers from time to time, and I don't want to be futzing around with my iptables script every time they change a server. I want it to do a DNS lookup and resolve the name.

    This is how I'm doing it so far (relevant portions of the script only):
    Code:
    # Define servers
    MAILSERVER="my.mail.server"
    NEWSSERVER="my.news.server"
    
    # Permit Outbound SMTP
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
     -d $MAILSERVER --destination-port 25 -j ACCEPT
    # Permit Outbound NNTP
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
     -d $NEWSSERVER --destination-port 119 -j ACCEPT
    When I start the script, I get:

    iptables v1.2.7a: host/network 'my.mail.server' not found
    Try 'iptables -h' or 'iptables --help for more information
    iptables v1.2.7a: host/network 'my.news.server' not found
    Try 'iptables -h' or 'iptables --help for more information

    Any ideas on how I can get a DNS lookup for these servers in my script?
    Do what you want with the girl, but leave me alone!

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    stupid question, but...( no not yours, mine.)

    Do you have any nameservers specified in /etc/resolv.conf ?
    If so, there is some script here which will import them into your iptables script.
    http://homex.subnet.at/~max/comp-07_iptables.shtml

    You could also just add them statically like below.
    Of course, then you need to allow them outbound as well.

    Have you set up rules in your script allowing dns resolution out to those name servers?

    To use your script,

    # Define servers
    NAMESERVER="insert.ip.here"
    MAILSERVER="my.mail.server"
    NEWSSERVER="my.news.server"

    # Permit Outbound DNS
    $IPT -A udp_outbound -p UDP -s $LOCAL_IFACE\
    -d $NAMESERVER --destination-port 53 -j ACCEPT
    # Permit Outbound SMTP
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
    -d $MAILSERVER --destination-port 25 -j ACCEPT
    # Permit Outbound NNTP
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
    -d $NEWSSERVER --destination-port 119 -j ACCEPT

    I suppose that may work, been a while since I used iptables, a bit rusty on it.

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Originally posted here by IchNiSan


    To use your script,

    # Define servers
    NAMESERVER="insert.ip.here"
    MAILSERVER="my.mail.server"
    NEWSSERVER="my.news.server"

    # Permit Outbound DNS
    $IPT -A udp_outbound -p UDP -s $LOCAL_IFACE\
    -d $NAMESERVER --destination-port 53 -j ACCEPT
    # Permit Outbound SMTP
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
    -d $MAILSERVER --destination-port 25 -j ACCEPT
    # Permit Outbound NNTP
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
    -d $NEWSSERVER --destination-port 119 -j ACCEPT

    [/B]
    I think IchNiSan got it right and how about add TCP too for DNS:
    Code:
    # Define servers
    NAMESERVER="insert.ip.here"
    MAILSERVER="my.mail.server"
    NEWSSERVER="my.news.server"
    
    # Permit Outbound DNS
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
     -d $NAMESERVER --destination-port 53 -j ACCEPT
    $IPT -A udp_outbound -p UDP -s $LOCAL_IFACE\
     -d $NAMESERVER --destination-port 53 -j ACCEPT
    # Permit Outbound SMTP
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
     -d $MAILSERVER --destination-port 25 -j ACCEPT
    # Permit Outbound NNTP
    $IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
     -d $NEWSSERVER --destination-port 119 -j ACCEPT
    Hope that script works


    Annya
    Not an image or image does not exist!
    Not an image or image does not exist!

  4. #4
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    Well, I'm only blocking forwarded TCP packets from the LAN at this point. All forwarded UDP packets are allowed to pass through, and all outbound traffic (TCP or UDP) that originates from the gateway itself is allowed. The lookup for the script would fall into the latter, would it not? DNS resolution is working fine on the gateway.... it's just not working in my script.

    Nevertheless, i tried adding an explicit rule for outbound DNS, but it didn't change the result. I had a quick peek at the script IchNiSan linked to, and I think I may be able to work with that. I will have to spend some time dissecting what it does. In the meantime, the issue remains unresolved. No pun intended.
    Do what you want with the girl, but leave me alone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •