Join Log in
Score:0
Sergio Sánchez avatar Server

Iptables allow DNS resolution

hm flag
Sergio Sánchez

i made this script for IPTABLES without state. I need to block any output connection except SSH, DNS, ICMP and Ubuntu Repositories

#! /bin/bash
#Objetivo del script:
#Descartar paquetes  excepto ssh y DNS
#FIREWALL DE HOST SIN ESTADO Servidor
#Cleanup Rules
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
#allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#DNS resolution input and output
iptables -A INPUT -p udp --dport 53 -d 8.8.8.8,8.8.4.4 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -s 8.8.8.8,8.8.4.4 -j ACCEPT
#updates since ubuntu repositories
iptables -A INPUT -p tcp -d archive.ubuntu.com,security.ubuntu.com -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -s archive.ubuntu.com,security.ubuntu.com -m multiport --sports 80,443 -j ACCEPT
#allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

#allow ICMP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

The result is this:

iptables v1.8.7 (nf_tables): host/network `archive.ubuntu.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): host/network `archive.ubuntu.com' not found
Try `iptables -h' or 'iptables --help' for more information.
447
2 + 2
vidarlo avatar
ar flag
vidarlo
You should probably not attempt to whitelist mirrors in this way. IP's are prone to change, and they may have a large number of mirrors.
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
DNS uses UDP **AND** TCP.
0
Reply
Score:0
diya avatar Server
la flag
diya

At first glance you're only allowing DNS responses to be received and don't create any DNS related rules in the OUTPUT chain to actually allow sending DNS queries out.

You current rules:

#DNS resolution input and output
iptables -A INPUT -p udp --dport 53 -d 8.8.8.8,8.8.4.4 -j ACCEPT
            ^^^^^
iptables -A INPUT -p udp --sport 53 -s 8.8.8.8,8.8.4.4 -j ACCEPT
            ^^^^^

Additionally, DNS can also use TCP for transport.

+ 1
Sergio Sánchez avatar
hm flag
Sergio Sánchez
It Works! Thnk you!
0
Reply
Score:0
Zareh Kasparian avatar Server
us flag
Zareh Kasparian

The issues seems to be from DNS resolution.

iptables -A INPUT -p udp --dport 53 -d 8.8.8.8,8.8.4.4 -j ACCEPT

It allows 8.8.8.8 and 8.8.4.4 hosts to reach to your server on destination port 53. If you have any DNS service running on your station/server.

iptables -A INPUT -p udp --sport 53 -s 8.8.8.8,8.8.4.4 -j ACCEPT

And above rule says, allow 8.8.8.8 or 8.8.4.4 hosts to access your station/server if their source-port is 53.

I would go for a general rule like below, to allow all DNS queries from your station to any DNS server. Its also recommended to open TCP as well, since TCP must be used to exchange information larger than 512 bytes.

iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.