Re: How to filter DNS?

[Jim Roland]

I had a similar situation and resolved it by having ipchains log all denied packets (DENY being the last rule of the chain), and located my problem.  Port 53 is correct.  But you must allow both UDP and TCP packets.  UDP is the primary protocol, TCP is used if the packet is over a certain size.  Obviously the -y option to ipchains does not work for UDP, so you just specify the rule the same way without the -y parameter.

For running a DNS server on the inside in you DMZ, you must enable incoming packets to your server on port 53 (tcp and udp), source being 0/0 and any port.  For replies to the client, you must reverse the source and destination options (source of your dns server on port 53), both tcp and udp.
 

(Assuming you keep your rules in the same chain)
ipchains -I (chain) -b -y -p tcp -j ACCEPT -s 0/0 -d (your server ip) 53
ipchains -I (chain) -b -p udp -j ACCEPT -s 0/0 -d (your server ip) 53

If you do not keep them in the same chain (one chain for inbound dmz and one chain for outbound from dmz) then do not use the -b, and place your "-d (your server ip) 53" in the inbound chain, and change the "-d" to "-s" for the outbound chain.
 

For your clients on the inside going to the outside, it's a little different.

(Assuming again your rules are in the same chain, if not reverse the -d and -s like above)
ipchains -I (chain) -b -y -p tcp -j ACCEPT -s (your network or subnet) -d 0/0 53
ipchains -I (chain) -b -p udp -j ACCEPT -s (your network or subnet) -d 0/0 53

For the client lookups, if you want, you can specify an IP of your ISP's DNS server(s) in the "-d option", however that can create some extra work.
 
 
 

Chris Gill wrote:

Hey folks. I asked here last week about a filtering bridge (or a bridging
filter). Thanks for the replies, it's working great. Well, there's one
problem. Clients are on one side, the DNS server on the other. And the
clients can't do lookups. My filtering rules are fairly strict, but I do
allow all non-SYN TCP packets to pass, and opened port 53 (which is the
DNS port, correct?) in both directions, but still no dice. Anybody know
what the trick is?

-< Christopher P. Gill >-< Senator, Class of 2002>-< [EMAIL PROTECTED] >-
-<"The greatest dangers to liberty lurk in insidious encroachment by >-
<men of zeal, well-meaning but without understanding" Justice Brandeis>
---< "Excuse me, I'm in the middle of fifteen things...all of them >---
-----< annoying" Ivanova, Midnight on the Firing Line, Babylon 5 >-----

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]