Re: Conntrack and DNS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/16/06, Derick Anderson <danderson@xxxxxxxxx> wrote:
> Give me the full output of iptables-save and I'll give it a shot.
> Although it doesn't seem to be your problem, consider adding TCP port 53
> (domain) as well since long DNS replies get sent over TCP.
>
> Derick Anderson


Hi Derick,

Here is the full iptables.save. The critical IPs have been renamed to
1.1.1.x, 2.2.2.2, etc.

The ISP's DNS IPs are shown below. The ones that are described in my
first e-mail as DNS01 and DNS02 are 201.10.120.2 and 201.10.128.2
respectively.

As you can see, I already accept domain TCP packets.

Thanks a lot for your help.

# Generated by iptables-save v1.2.11 on Fri Jan  6 14:28:07 2006
*nat
:PREROUTING ACCEPT [215586:15199604]
:POSTROUTING ACCEPT [225453:15290858]
:OUTPUT ACCEPT [1225:91223]
-A PREROUTING -d 1.1.1.35 -i eth0 -j DNAT --to-destination 10.0.0.6
-A POSTROUTING -s 10.0.0.6 -o eth0 -j SNAT --to-source 1.1.1.35
-A POSTROUTING -s 10.0.0.1 -o eth0 -j SNAT --to-source 1.1.1.34
COMMIT
# Completed on Fri Jan  6 14:28:07 2006
# Generated by iptables-save v1.2.11 on Fri Jan  6 14:28:07 2006
*filter
:INPUT DROP [1:74]
:FORWARD DROP [3:222]
:OUTPUT DROP [0:0]
:pre_analysis - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -i eth0 -p tcp -j pre_analysis
-A INPUT -s 2.2.2.2 -i eth0 -p tcp -m tcp --dport 443 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 2.2.2.2 -i eth0 -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -s 2.2.2.2 -i eth0 -p icmp -j ACCEPT
-A INPUT -s 3.3.3.3 -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p icmp -j DROP
-A INPUT -s 1.1.1.40/255.255.255.248 -i eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 1.1.1.40/255.255.255.248 -i eth1 -p icmp -j ACCEPT
-A INPUT -s 10.0.0.0/255.255.255.248 -i eth2 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.1 -i eth2 -p udp -m udp --dport 138 -j DROP
-A INPUT -s 10.0.0.1 -i eth2 -p udp -m udp --dport 137 -j DROP
-A INPUT -s 10.0.0.0/255.255.255.248 -i eth2 -p icmp -j ACCEPT
-A INPUT -s 10.0.1.0/255.255.255.0 -i eth2 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT blocked: "
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.0.0/255.0.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A FORWARD -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
-A FORWARD -s 172.16.0.0/255.240.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A FORWARD -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 127.0.0.0/255.0.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A FORWARD -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A FORWARD -s 169.254.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "spoofed: "
-A FORWARD -s 169.254.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -i eth0 -p tcp -j pre_analysis
-A FORWARD -s 2.2.2.2 -d 1.1.1.40/255.255.255.248 -i eth0 -o eth1 -p
tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 3.3.3.3 -d 1.1.1.40/255.255.255.248 -i eth0 -o eth1 -p
tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 2.2.2.2 -d 1.1.1.40/255.255.255.248 -i eth0 -o eth1 -p
udp -m udp --dport 161 -j ACCEPT
-A FORWARD -s 2.2.2.2 -d 1.1.1.40/255.255.255.248 -i eth0 -o eth1 -p
icmp -j ACCEPT
-A FORWARD -s 3.3.3.3 -d 1.1.1.40/255.255.255.248 -i eth0 -o eth1 -p
icmp -j ACCEPT
-A FORWARD -d 1.1.1.40/255.255.255.248 -i eth0 -o eth1 -p icmp -j DROP
-A FORWARD -d 1.1.1.42 -i eth0 -o eth1 -p tcp -m tcp --dport 80
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 1.1.1.42 -i eth0 -o eth1 -p tcp -m tcp --dport 443
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 1.1.1.44 -i eth0 -o eth1 -p tcp -m tcp --dport 113
--tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A FORWARD -d 1.1.1.44 -i eth0 -o eth1 -p tcp -m tcp --dport 110
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 1.1.1.44 -i eth0 -o eth1 -p tcp -m tcp --dport 25
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 2.2.2.2 -d 10.0.0.6 -i eth0 -o eth2 -p tcp -m tcp
--dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 3.3.3.3 -d 10.0.0.6 -i eth0 -o eth2 -p tcp -m tcp
--dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 2.2.2.2 -d 10.0.0.6 -i eth0 -o eth2 -p udp -m udp
--dport 161 -j ACCEPT
-A FORWARD -s 2.2.2.2 -d 10.0.0.6 -i eth0 -o eth2 -p icmp -j ACCEPT
-A FORWARD -s 3.3.3.3 -d 10.0.0.6 -i eth0 -o eth2 -p icmp -j ACCEPT
-A FORWARD -d 10.0.0.6 -i eth0 -o eth2 -p icmp -j DROP
-A FORWARD -s 1.1.1.40/255.255.255.248 -i eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -i eth1 -p icmp -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 201.10.128.2 -i eth1 -o eth0
-p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 201.10.120.2 -i eth1 -o eth0
-p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 200.199.252.68 -i eth1 -o
eth0 -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 200.199.252.72 -i eth1 -o
eth0 -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -i eth1 -o eth0 -p tcp -m tcp
--dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -i eth1 -o eth0 -p tcp -m tcp
--dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 201.10.128.2 -i eth1 -o eth0
-p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 201.10.120.2 -i eth1 -o eth0
-p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 200.199.252.68 -i eth1 -o
eth0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 200.199.252.72 -i eth1 -o
eth0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 1.1.1.40/255.255.255.248 -d 132.239.1.6 -i eth1 -o eth0
-p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -s 1.1.1.44 -i eth1 -o eth0 -p tcp -m tcp --dport 25
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.42 -d 10.0.0.1 -i eth1 -o eth2 -p tcp -m tcp
--sport 1505 -j ACCEPT
-A FORWARD -s 1.1.1.42 -d 10.0.0.1 -i eth1 -o eth2 -p tcp -m tcp
--dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.42 -d 10.0.0.1 -i eth1 -o eth2 -p udp -m udp
--dport 2049 -j ACCEPT
-A FORWARD -s 1.1.1.42 -d 10.0.0.1 -i eth1 -o eth2 -p udp -j LOG
--log-prefix "test1: "
-A FORWARD -s 1.1.1.42 -d 10.0.0.1 -i eth1 -o eth2 -p udp -j ACCEPT
-A FORWARD -s 1.1.1.44 -d 10.0.1.0/255.255.255.0 -i eth1 -o eth2 -p
tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 1.1.1.44 -d 126.0.0.0/255.0.0.0 -i eth1 -o eth2 -p tcp
-m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 10.0.0.0/255.255.255.248 -i eth2 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.0.0/255.255.255.248 -i eth2 -p icmp -j ACCEPT
-A FORWARD -s 10.0.0.1 -d 4.4.4.4 -i eth2 -o eth0 -p tcp -m tcp
--dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 10.0.0.1 -d 4.4.4.4 -i eth2 -o eth0 -p tcp -m tcp
--dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 10.0.0.6 -d 2.2.2.2 -i eth2 -o eth0 -p tcp -m tcp
--dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 10.0.0.1 -d 1.1.1.42 -i eth2 -o eth1 -p tcp -m tcp
--dport 1505 -j ACCEPT
-A FORWARD -s 10.0.0.6 -d 1.1.1.42 -i eth2 -o eth1 -p tcp -m tcp
--dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 10.0.0.6 -d 1.1.1.42 -i eth2 -o eth1 -p tcp -m tcp
--dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -s 10.0.1.0/255.255.255.0 -d 1.1.1.40/255.255.255.248 -i
eth2 -o eth1 -j ACCEPT
-A FORWARD -s 126.0.0.0/255.0.0.0 -d 1.1.1.40/255.255.255.248 -i eth2
-o eth1 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD blocked: "
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 201.10.128.2 -o eth0 -p tcp -m tcp --dport 53 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 201.10.120.2 -o eth0 -p tcp -m tcp --dport 53 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 200.199.252.68 -o eth0 -p tcp -m tcp --dport 53
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 200.199.252.72 -o eth0 -p tcp -m tcp --dport 53
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 1.1.1.33 -o eth0 -p tcp -m tcp --dport 23 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 201.10.128.2 -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 201.10.120.2 -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 200.199.252.68 -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 200.199.252.72 -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 132.239.1.6 -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 1.1.1.40/255.255.255.248 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 1.1.1.40/255.255.255.248 -o eth1 -p tcp -m tcp --dport 22
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 1.1.1.40/255.255.255.248 -o eth1 -p icmp -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.248 -o eth2 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.0.0.6 -o eth2 -p tcp -m tcp --dport 22 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 10.0.0.1 -o eth2 -p tcp -m tcp --dport 23 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 10.0.0.3 -o eth2 -p tcp -m tcp --dport 23 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.248 -o eth2 -p icmp -j ACCEPT
-A OUTPUT -d 10.0.1.0/255.255.255.0 -o eth2 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT blocked: "
-A pre_analysis -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j LOG --log-prefix "syn-ack-new: "
-A pre_analysis -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j REJECT --reject-with tcp-reset
-A pre_analysis -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state
--state NEW -j LOG --log-prefix "new-not-syn: "
-A pre_analysis -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state
--state NEW -j DROP
COMMIT
# Completed on Fri Jan  6 14:28:07 2006
# Generated by iptables-save v1.2.11 on Fri Jan  6 14:28:07 2006
*mangle
:PREROUTING ACCEPT [5384947:3181364904]
:INPUT ACCEPT [541987:110896312]
:FORWARD ACCEPT [4842960:3070468592]
:OUTPUT ACCEPT [609969:124599535]
:POSTROUTING ACCEPT [5445181:3193638279]
COMMIT
# Completed on Fri Jan  6 14:28:07 2006
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux