postfix through TOR DNS.
Good time of the day. I'm trying to make postfix resolving domain addresses through TOR service. And it works for other programs, like, say aptitude that resolves names then uses FTP connection or a browser - that goes to web through privoxy+TOR, but postfix keeps giving me Host or domain name not found. Name service error for name=HOSTNAME type=MX: Host not found, try again) In nat table i have: /sbin/iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 In filter/nat tables I see that postfix makes attempts to resolve the domain: i see in filter OUTPUT chain that postfix sends packets to 127.0.0.1:53 and in nat OUTPUT i see its packets also (checked w/ owner module), finally i see packets arriving in filter INPUT on 53-rd port. So, i suppose that all should work - but it does not. Do you have an idea what can wrong? Or may you have experience w/ TOR and other applications that it would not resolve names for? Please, any ideas that may help. Thanks for Your time. Sthu. -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/515eb428.04d10e0a.755c.3...@mx.google.com
Re: iptables and INVALID packet filtering.
H i Matthew and Pascal; So, what should I do to take care of INVALID packets? What is the best method? I mentioned, that this system is for testing purposes now, but in log files (e.g. kern.log, syslog) I see a lot of INVALID packets logged - for both input and output connections. Best regards.
Re: postfix through TOR DNS.
--On Freitag, April 05, 2013 18:23:10 +0700 Sthu Deus sthu.d...@gmail.com wrote: [DNS] /sbin/iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 Don't forget to add a rule for TCP, DNS uses both UDP and TCP (even if this may be unrelated to your current problems). Yours sincerely, Ralf Döblitz -- Ralf Döblitz r.doebl...@asco.de Phone +49 531 3906-116 asco GmbH Inselwall 11 D-38114 Braunschweig Germany Phone +49 531 3906-0 Fax +49 531 3906-400 http://www.asco.de Amtsgericht Braunschweig HRB 5035 Geschäftsführer Jochen Grote -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3F91633ECB5CC802011ECE88@[172.20.82.1]
Re: iptables and INVALID packet filtering.
1) it depends on you are calling invalid 2) same as above I suggest you start by using Reverse Path filtering in the kernel, not in iptables, and drop out of state packets with the INVALID rules. What is in your logs? On Apr 5, 2013, at 8:02, Daniel Curtis sidetripp...@gmail.com wrote: Hi Matthew and Pascal; So, what should I do to take care of INVALID packets? What is the best method? I mentioned, that this system is for testing purposes now, but in log files (e.g. kern.log, syslog) I see a lot of INVALID packets logged - for both input and output connections. Best regards.
Re: iptables and INVALID packet filtering.
Hi Matthew How can I use Reverse Path filtering in the kernel? You mean this option, right?; /proc/sys/net/ipv4/conf/*/rp_filter Sorry, but I do not understand how to drop out of state packets with the INVALID rules. My logs: Apr 5 17:18:18 t4 kernel: [13107.296065] INVALID OUT: IN= OUT=eth0 SRC=192.168.5.200 DST=173.194.44.32 LEN=446 TOS=0x00 PREC=0x00 TTL=64 ID=36621 DF PROTO=TCP SPT=59041 DPT=443 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0 Apr 5 15:29:40 t4 kernel: [ 6589.698710] INVALID IN: IN=eth0 OUT= MAC=mac_address_ SRC=173.194.44.32 DST=192.168.5.200 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=40504 PROTO=TCP SPT=443 DPT=56236 WINDOW=0 RES=0x00 RST URGP=0 and so on... Is there something wrong, strange?
Re: iptables and INVALID packet filtering.
On Apr 5, 2013, at 11:29, Daniel Curtis sidetripp...@gmail.com wrote: Hi Matthew How can I use Reverse Path filtering in the kernel? You mean this option, right?; /proc/sys/net/ipv4/conf/*/rp_filter Yes, this is what I am referring to. I would double check the documentation to see if there are other settings to switch for RP filtering. Sorry, but I do not understand how to drop out of state packets with the INVALID rules. Like you had before -A INPUT -conntrac I know iptables -A INPUT -m state --state INVALID -j DROP works well. And it does pick out invalid (aka out of state) UDP packets. DNS is one additional example. My logs: Apr 5 17:18:18 t4 kernel: [13107.296065] INVALID OUT: IN= OUT=eth0 SRC=192.168.5.200 DST=173.194.44.32 LEN=446 TOS=0x00 PREC=0x00 TTL=64 ID=36621 DF PROTO=TCP SPT=59041 DPT=443 WINDOW=14600 RES=0x00 ACK PSH FIN URGP=0 Apr 5 15:29:40 t4 kernel: [ 6589.698710] INVALID IN: IN=eth0 OUT= MAC=mac_address_ SRC=173.194.44.32 DST=192.168.5.200 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=40504 PROTO=TCP SPT=443 DPT=56236 WINDOW=0 RES=0x00 RST URGP=0 and so on... Is there something wrong, strange? Maybe, maybe not.
Re: iptables and INVALID packet filtering.
Hi So, it is better to use state module instead of conntrack, when it comes to filter INVALID packets or it does not matter, which module will be in use? What is your opinion on this? I'm wondering why there is so much entries about INVALID packets in log files. Frankly, after - let say - 6, 7 hour of computer use, there are about 40-50 logged events. Maybe more. I don't know if it is something wrong. I know, that in e.g. iptables v1.4.16.3, state module is obsolete. But this is just an example; $ ... INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT WARNING: The state match is obsolete. Use conntrack instead. This module was available in iptables v1.4.13. Of course, if I remember correctly. Best regards Matthew.
Re: postfix through TOR DNS.
Hi All! On Fri, 2013-04-05 at 18:23 +0700, Sthu Deus wrote: I'm trying to make postfix resolving domain addresses through TOR service. And it works for other programs, like, say aptitude that resolves names then uses FTP connection or a browser - that goes to web through privoxy+TOR, but postfix keeps giving me The question is what is the answer. Unlike the other examples which try to resolv an A record the postfix is search for an MX record. And I'm not really sure if this is supported by the TOR. But I do not know TOR at all. -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1365190423.9048.19.camel@mochrul.balabit
Re: iptables and INVALID packet filtering.
Daniel Curtis a écrit : So, it is better to use state module instead of conntrack, when it comes to filter INVALID packets or it does not matter, which module will be in use? What is your opinion on this? It does not matter. The conntrack match has more options, but -m conntrack --ctstate INVALID does exactly the same as -m state --state INVALID. The connection tracking is not performed by either module, their purpose is just to match the state of the packet, not to decide what state the packet is in. I know, that in e.g. iptables v1.4.16.3, state module is obsolete. [...] WARNING: The state match is obsolete. Use conntrack instead. No, the state match is not obsolete any more. The developpers of iptables have finally decided that it would not be deprecated and would be aliased by the conntrack module instead, so you can safely ignore this warning. -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/515f4805.8080...@plouf.fr.eu.org
