[Novalug] IPTables and DNS
Nick Danger
nick at hackermonkey.com
Thu Jan 18 16:22:27 EST 2007
Ed T. Toton III wrote:
> Are they just resolvers or also auth servers? If they're authoritative
> for any zones, you'll want to restrict the recursion in the bind
> configs and not block it with iptables.
Just resolvers so I cant turn off recusion :-) These are authoritative
for nothing.
> If not, you can certainly use a firewall as you described. TCP
> generally only gets used for zone transfers and slaving (and maybe
> some rare large lookups), so UDP is the important one. So yes, block
> those for all but your specific allowed IP ranges and you should be fine.
So something like this should function fine right? (blocks changed to
protect the guilty...) I was messing around with something like this
today and actually managed to not only lock the box, something hardware
wise broke and a cold reboot didn't fix it (the local console just
flashes) Argh. Amazing something broke JUST as I was working with the
ruleset. I have to get the hardware fixed now.
# Generated by iptables-save v1.2.11
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:2792]
-A INPUT -s 192.168.201.0/255.255.255.0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 10.10.10.100/255.255.255.252 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.201.0/255.255.255.0 -p udp --dport 53 -j ACCEPT
-A INPUT -s 10.10.10.100/255.255.255.252 -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j DROP
-A INPUT -p udp --dport 53 -j DROP
COMMIT
# Completed
-Nick
More information about the Novalug
mailing list