Search code examples
linuxdnsiptables

Debian 7 DNS iptables

I've set up a small web server on a debian 7 machine, and added a firewall so that it works. Here are the rules.

#!/bin/sh

echo "Stopping firewall and allowing everyone..."
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found 
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }

$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt -t raw -F
$ipt -t raw -X

echo "Adding rules so that only SFTP,SSH,HTTP and DNS are allowed..."
$ipt -A INPUT -p tcp -m tcp -m multiport --dports 21,22,80,443 -j ACCEPT
$ipt -A INPUT -m conntrack -j ACCEPT  --ctstate RELATED,ESTABLISHED
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -p udp --sport 53 -j ACCEPT
$ipt -A INPUT -p tcp --sport 53 -j ACCEPT
$ipt -A INPUT -i lo -p all -j ACCEPT
$ipt -A INPUT -j DROP

$ipt -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -p tcp --sport 22 -j ACCEPT
$ipt -A OUTPUT -p udp --dport 53 -j ACCEPT
$ipt -A OUTPUT -p tcp --dport 53 -j ACCEPT
$ipt -A OUTPUT -o lo -p all -j ACCEPT
$ipt -A OUTPUT -j DROP

$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -j DROP

This works well for SFTP,SSH,HTTP and HTTPS. Any idea why DNS not working? I've tried many more complex solutions on the web but none working...

sudo iptables -A OUTPUT -p udp --sport 1024:65535 -d 213.186.33.99 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo echo -n "hi" > /dev/udp/213.186.33.99/53
echo: write error: Operation not permitted

Any help appreciated :)

Solution

  • I think your rule is fine:

    # iptables -A OUTPUT -p udp --sport 1024:65535 -d 127.0.0.1 --dport 55 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p udp --dport 55 -j DROP
# iptables -nL OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            127.0.0.1            udp spts:1024:65535 dpt:55 state NEW,ESTABLISHED
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:55
# nc -u -l 127.0.0.1 55
hi
^C
# iptables -vnL OUTPUT 
Chain OUTPUT (policy ACCEPT 169 packets, 63116 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    31 ACCEPT     udp  --  *      *       0.0.0.0/0            127.0.0.1            udp spts:1024:65535 dpt:55 state NEW,ESTABLISHED
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:55

    Try your test again with netcat, nc(1), instead of bash.