dns linux router problem 1

[Grub3r]

Hello,

I have issue with dns lookup through a linux box router.

there are 2 networks and I can ping ip-s but not names from LAN.

when I flush the iptables and apply the routing entries I can ping on dns name too.

So it must be iptables that does not allow dns traffic to pass through the router.

here is original iptables, out of the box fedora core 5

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


and here's the routing entries I apply to route the traffic:

iptables -t nat -A POSTROUTING -o [wan interface] -j MASQUERADE
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -s ! 10.0.0.0/24 -j DROP


could somebody point out what am I doing wrong?
I could not want to exist with flushed iptables, and I would really like to route the right traffic.

thanks in advance.
regards
Dan

 

[IRudebwoy]

You need another line in your config to allow BIND type name resolution.

-A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT

The line,

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

allows for name resolution via multicast not the traditional BIND style.

Have Fun!

 

[Grub3r]

Hello again and thank you,

it helped, but I could either apply the rule by inserting it to the chain or removing the non-traditional rule from chain and then appendig the new one.


Thanks again.

regards Dan

 

[IRudebwoy]

If your security conscious replace the non-standard rule in favour of the one that works.

Have Fun!

 

[Grub3r]

i think there is possibility to apply the new rule by only Inserting it in the chain. The new rule gets higher priority than the non-standard one, but both are active anyway.

There should be no harm having the non-standard flowing around in case it becomes usable in the future(it's the rule applyed by the fc anyway).


thanks mate.

 

[Grub3r]

Hello again,

it is not working yet, now I can make dns lookup and ping but I cant surf the i-net. The page would not display in the browser. Something is blocking it!

if I delete the following line:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

then I can suft the net, what does it mean.


thanks in advance.
-dan

 

[IRudebwoy]

By removing the line you are effectively allowing all undefined (not in the ruleset) traffic outside to the internet. A big NO NO from a security standpoint.

Keep the line in and add this to allow Web browsing (http and https)

-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 443 -j ACCEPT

Also, you don't need these lines. It could allow some mischief on the M$ RPC service.

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

Find out what ports you really need and allow only those to traverse your firewall.

 

[Grub3r]

Thank you again,

My routerbox is at sleep right now so am I, will surely try the given instruction tomorrow.

strange indeed, I've never had this issue on old fc4,

we are now talking about machines on LAN that want to surf the web. The routerbox itself is allowed to use all these ports. Why isn't it blocking that traffic and blocks the traffic from LAN, isn't it the same firewall? aren't these the same rules?

if it's the issue of network cards, shouldn't we then specify the interface on which the LAN is located when adding a new rule? If not we apply to both interfaces?

Isn't traffic goes towards WAN and meets the LAN interface firewall so to pass through it, through router itselv and pass(with no disturb) WAN interface firewall on the way out....

Hope I'm not annoying you much...


-Dan

 

[Grub3r]

-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 443 -j ACCEPT

"


This helped, I also specified the interface it's should be opened on insted of opening on both.


thanks.