-
April 22nd, 2003, 01:58 AM
#1
Server resolution in iptables script?
A while back, I implemented egress filtering at my gateway box to tighten things up a bit. I only allowed outbound traffic on specific ports (e.g., 80, 443, 110, 25, etc...) Now I want to take it a step further and restrict traffic on ports 25 and 119 to my ISP's mail and news servers only. The problem is that when I try to define the servers in my script, the names won't resolve and the script chokes. Of course, I could just put the IP addresses and be done with it, but my ISP switches around its servers from time to time, and I don't want to be futzing around with my iptables script every time they change a server. I want it to do a DNS lookup and resolve the name.
This is how I'm doing it so far (relevant portions of the script only):
Code:
# Define servers
MAILSERVER="my.mail.server"
NEWSSERVER="my.news.server"
# Permit Outbound SMTP
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $MAILSERVER --destination-port 25 -j ACCEPT
# Permit Outbound NNTP
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $NEWSSERVER --destination-port 119 -j ACCEPT
When I start the script, I get:
iptables v1.2.7a: host/network 'my.mail.server' not found
Try 'iptables -h' or 'iptables --help for more information
iptables v1.2.7a: host/network 'my.news.server' not found
Try 'iptables -h' or 'iptables --help for more information
Any ideas on how I can get a DNS lookup for these servers in my script?
Do what you want with the girl, but leave me alone!
-
April 22nd, 2003, 02:10 AM
#2
stupid question, but...( no not yours, mine.)
Do you have any nameservers specified in /etc/resolv.conf ?
If so, there is some script here which will import them into your iptables script.
http://homex.subnet.at/~max/comp-07_iptables.shtml
You could also just add them statically like below.
Of course, then you need to allow them outbound as well.
Have you set up rules in your script allowing dns resolution out to those name servers?
To use your script,
# Define servers
NAMESERVER="insert.ip.here"
MAILSERVER="my.mail.server"
NEWSSERVER="my.news.server"
# Permit Outbound DNS
$IPT -A udp_outbound -p UDP -s $LOCAL_IFACE\
-d $NAMESERVER --destination-port 53 -j ACCEPT
# Permit Outbound SMTP
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $MAILSERVER --destination-port 25 -j ACCEPT
# Permit Outbound NNTP
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $NEWSSERVER --destination-port 119 -j ACCEPT
I suppose that may work, been a while since I used iptables, a bit rusty on it.
-
April 22nd, 2003, 12:35 PM
#3
Originally posted here by IchNiSan
To use your script,
# Define servers
NAMESERVER="insert.ip.here"
MAILSERVER="my.mail.server"
NEWSSERVER="my.news.server"
# Permit Outbound DNS
$IPT -A udp_outbound -p UDP -s $LOCAL_IFACE\
-d $NAMESERVER --destination-port 53 -j ACCEPT
# Permit Outbound SMTP
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $MAILSERVER --destination-port 25 -j ACCEPT
# Permit Outbound NNTP
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $NEWSSERVER --destination-port 119 -j ACCEPT
[/B]
I think IchNiSan got it right and how about add TCP too for DNS:
Code:
# Define servers
NAMESERVER="insert.ip.here"
MAILSERVER="my.mail.server"
NEWSSERVER="my.news.server"
# Permit Outbound DNS
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $NAMESERVER --destination-port 53 -j ACCEPT
$IPT -A udp_outbound -p UDP -s $LOCAL_IFACE\
-d $NAMESERVER --destination-port 53 -j ACCEPT
# Permit Outbound SMTP
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $MAILSERVER --destination-port 25 -j ACCEPT
# Permit Outbound NNTP
$IPT -A tcp_outbound -p TCP -s $LOCAL_IFACE\
-d $NEWSSERVER --destination-port 119 -j ACCEPT
Hope that script works
Annya
Not an image or image does not exist!
Not an image or image does not exist!
-
April 22nd, 2003, 03:25 PM
#4
Well, I'm only blocking forwarded TCP packets from the LAN at this point. All forwarded UDP packets are allowed to pass through, and all outbound traffic (TCP or UDP) that originates from the gateway itself is allowed. The lookup for the script would fall into the latter, would it not? DNS resolution is working fine on the gateway.... it's just not working in my script.
Nevertheless, i tried adding an explicit rule for outbound DNS, but it didn't change the result. I had a quick peek at the script IchNiSan linked to, and I think I may be able to work with that. I will have to spend some time dissecting what it does. In the meantime, the issue remains unresolved. No pun intended.
Do what you want with the girl, but leave me alone!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|