ipchains - local nameserver

ipchains - local nameserver

Post by Bill A » Sat, 29 Jul 2000 04:00:00



I have a caching nameserver running on the firewall box.  I can run
'nslookup' just fine until I want to point 'nslookup' to localhost.  Without
the firewall in place I can point nslookup like so:

nslookup www.something.com localhost

it chokes up complaining of no response from the server.  From time to time
I get this:

Jul 28 00:49:25 mydomain-a named[17036]: sysquery: sendto([198.41.0.4].53):
Operation not permitted
Jul 28 00:49:25 mydomain-a named[17036]: ns_forw: sendto([204.96.36.2].53):
Operation not permitted

where some of the IP's it's trying to send to are root servers.  Loopback is
wide open.

My rules are:

echo "Allowing Client DNS"
$IPCH -A output -i $E_INT -p udp -s $IP $PUB_PORTS -d $NS1 53 -j ACCEPT
$IPCH -A output -i $E_INT -p udp -s $IP $PUB_PORTS -d $NS2 53 -j ACCEPT
$IPCH -A input -i $E_INT -p udp -s $NS1 53 -d $IP $PUB_PORTS -j ACCEPT
$IPCH -A input -i $E_INT -p udp -s $NS2 53 -d $IP $PUB_PORTS -j ACCEPT
$IPCH -A output -i $E_INT -p tcp -s $IP $PUB_PORTS -d $NS1 53 -j ACCEPT
$IPCH -A output -i $E_INT -p tcp -s $IP $PUB_PORTS -d $NS2 53 -j ACCEPT
$IPCH -A input -i $E_INT -p tcp ! -y -s $NS1 53 -d $IP $PUB_PORTS -j ACCEPT
$IPCH -A input -i $E_INT -p tcp ! -y -s $NS2 53 -d $IP $PUB_PORTS -j ACCEPT

echo "Allow peer-to-peer"
$IPCH -A output -i $E_INT -p udp -s $IP 53 -d $NS1 53 -j ACCEPT
$IPCH -A input -i $E_INT -p udp -s $NS1 53 -d $IP 53 -j ACCEPT

note, I've tried $PUB_PORTS on the peer to peer and even used all ports for
every item with no luck

Values:
E_INT="eth0"
IP="my ip"
PUB_PORTS="1024:65535"
NS1 & NS2 are my primary and secondary nameservers respectively

Keep in mind I'm new to this.  I've been working with the New Riders book
"Linux Firewalls".  Again, nslookup to localhost works fine with no firewall
so I don't think I have configuration problems, I think I have a firewall
issue (or issues :).

Thanks for any ideas, leads, etc.

--
Bill

 
 
 

ipchains - local nameserver

Post by Richard Powel » Sat, 29 Jul 2000 04:00:00



> I have a caching nameserver running on the firewall box.  I can run
> 'nslookup' just fine until I want to point 'nslookup' to localhost.  Without
> the firewall in place I can point nslookup like so:

> nslookup www.something.com localhost

> it chokes up complaining of no response from the server.  From time to time
> I get this:

> Jul 28 00:49:25 mydomain-a named[17036]: sysquery: sendto([198.41.0.4].53):
> Operation not permitted
> Jul 28 00:49:25 mydomain-a named[17036]: ns_forw: sendto([204.96.36.2].53):
> Operation not permitted

> where some of the IP's it's trying to send to are root servers.  Loopback is
> wide open.

> My rules are:

> echo "Allowing Client DNS"
> $IPCH -A output -i $E_INT -p udp -s $IP $PUB_PORTS -d $NS1 53 -j ACCEPT
> $IPCH -A output -i $E_INT -p udp -s $IP $PUB_PORTS -d $NS2 53 -j ACCEPT
> $IPCH -A input -i $E_INT -p udp -s $NS1 53 -d $IP $PUB_PORTS -j ACCEPT
> $IPCH -A input -i $E_INT -p udp -s $NS2 53 -d $IP $PUB_PORTS -j ACCEPT
> $IPCH -A output -i $E_INT -p tcp -s $IP $PUB_PORTS -d $NS1 53 -j ACCEPT
> $IPCH -A output -i $E_INT -p tcp -s $IP $PUB_PORTS -d $NS2 53 -j ACCEPT
> $IPCH -A input -i $E_INT -p tcp ! -y -s $NS1 53 -d $IP $PUB_PORTS -j ACCEPT
> $IPCH -A input -i $E_INT -p tcp ! -y -s $NS2 53 -d $IP $PUB_PORTS -j ACCEPT

Bill,

Are you saying that the nslookup failes even without the firewall
rules?  If so, make sure you have lines like these in your named.conf
file:

        allow-query {
                127.0.0.1;
        };
        listen-on port 53 {
                127.0.0.1;
        };

Good luck,
Richard

- Show quoted text -

Quote:

> echo "Allow peer-to-peer"
> $IPCH -A output -i $E_INT -p udp -s $IP 53 -d $NS1 53 -j ACCEPT
> $IPCH -A input -i $E_INT -p udp -s $NS1 53 -d $IP 53 -j ACCEPT

> note, I've tried $PUB_PORTS on the peer to peer and even used all ports for
> every item with no luck

> Values:
> E_INT="eth0"
> IP="my ip"
> PUB_PORTS="1024:65535"
> NS1 & NS2 are my primary and secondary nameservers respectively

> Keep in mind I'm new to this.  I've been working with the New Riders book
> "Linux Firewalls".  Again, nslookup to localhost works fine with no firewall
> so I don't think I have configuration problems, I think I have a firewall
> issue (or issues :).

> Thanks for any ideas, leads, etc.

> --
> Bill

--
Richard Powell                          

18201 Von Karman Ave. Ste. 100          Phone:  (949) 224-4565
Irvine, CA 92715                        Fax:    (949) 224-4509

 
 
 

ipchains - local nameserver

Post by Manfred Bart » Sun, 30 Jul 2000 04:00:00



> I have a caching nameserver running on the firewall box.  I can run
> 'nslookup' just fine until I want to point 'nslookup' to localhost.
> Without the firewall in place I can point nslookup like so:

> nslookup www.something.com localhost

> it chokes up complaining of no response from the server.  From time
> to time I get this:

> Jul 28 00:49:25 mydomain-a named[17036]: sysquery: sendto([198.41.0.4].53):
> Operation not permitted
> Jul 28 00:49:25 mydomain-a named[17036]: ns_forw: sendto([204.96.36.2].53):
> Operation not permitted

> where some of the IP's it's trying to send to are root servers.
> Loopback is wide open.

Is loopback really open?  Since you are using ``ACCEPT'' rules, I
assume your policy (default) is REJECT or DENY.

Can you ping localhost?

- Show quoted text -

Quote:> echo "Allowing Client DNS"
> $IPCH -A output -i $E_INT -p udp -s $IP $PUB_PORTS -d $NS1 53 -j ACCEPT
> $IPCH -A output -i $E_INT -p udp -s $IP $PUB_PORTS -d $NS2 53 -j ACCEPT
> $IPCH -A input -i $E_INT -p udp -s $NS1 53 -d $IP $PUB_PORTS -j ACCEPT
> $IPCH -A input -i $E_INT -p udp -s $NS2 53 -d $IP $PUB_PORTS -j ACCEPT
> $IPCH -A output -i $E_INT -p tcp -s $IP $PUB_PORTS -d $NS1 53 -j ACCEPT
> $IPCH -A output -i $E_INT -p tcp -s $IP $PUB_PORTS -d $NS2 53 -j ACCEPT
> $IPCH -A input -i $E_INT -p tcp ! -y -s $NS1 53 -d $IP $PUB_PORTS -j ACCEPT
> $IPCH -A input -i $E_INT -p tcp ! -y -s $NS2 53 -d $IP $PUB_PORTS -j ACCEPT

> echo "Allow peer-to-peer"
> $IPCH -A output -i $E_INT -p udp -s $IP 53 -d $NS1 53 -j ACCEPT
> $IPCH -A input -i $E_INT -p udp -s $NS1 53 -d $IP 53 -j ACCEPT

> note, I've tried $PUB_PORTS on the peer to peer and even used all
> ports for every item with no luck

> Values:
> E_INT="eth0"
> IP="my ip"
> PUB_PORTS="1024:65535"
> NS1 & NS2 are my primary and secondary nameservers respectively

The kernel will route all traffic to localhost through ``lo'', even
when you specify your external IP address.  Try adding these rules:

$IPCH -A input  -i lo -j ACCEPT
$IPCH -A output -i lo -j ACCEPT

Did this work?

You could also add ``--log'' to your rules and check
/var/log/messages for useful information.

HTH
--
Manfred Bartz

 
 
 

ipchains - local nameserver

Post by Bill A » Sun, 30 Jul 2000 04:00:00


Thanks for the suggestions.  First, I was able to ping localhost.  I did
have the rules that Manfred mentioned.  Richard, I was able to do lookups
just fine with no firewall in place.  My default policy is to DENY input and
REJECT output and forward.

What I ended up doing was changing the source and destination rules to $ANY
(any/0) for both the input and output chains:

$IPCH -A output -i $E_INT -p udp -s $ANY 53 -d $ANY 53 -j ACCEPT
$IPCH -A input -i $E_INT -p udp -s $ANY 53 -d $ANY 53 -j ACCEPT

Going out to an external client worked fine it was just when using localhost
things failed but the above set of rules has fixed my problem.

What bothers me is that I see very strict rules and here I opened it up
completely.  Is there anything inherently dangerous about the above rules?

Thanks again.
--
Bill

 
 
 

1. DHCP client, IPCHAINS, and cacheing only nameserver...how do I do it?

RH6.2.  How do I run an extensive IPCHAINs firewall, a DHCP (dhcpcd) client
with static IPs for the inside LAN, and a cacheing only nameserver for the
internal LAN?

I keep getting my nameserver list overwritten by the dhcpcd and it
overwrites my nameservers to the ISP's nameservers'.  Do I need to write a
cron script to fix this?

darren

2. POP3, telnet, and ftp problems

3. Local nameserver messes up SLIP connection

4. SAM problems

5. How add my domain to local nameserver?

6. INDYBOX

7. how to setup a local nameserver

8. Boot hangs at Ethernet probe... Help!

9. How add my domain to local nameserver?

10. nameserver does not work local

11. dhcp isp and local nameserver

12. nslookup stalls on local nameserver

13. Can one get wrt54g router to work as nameserver for local network?I