Hello,
I try to put iptables in the same server that unbound but I can’t do a local resolv:
Hello,
I try to put iptables in the same server that unbound but I can’t do a local resolv:
dig terra.es @127.0.0.1
; <<>> DiG 9.7.3 <<>> terra.es @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached
whit this iptables rules:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2271:2106405]
-A INPUT -s 30.0.0.0/8 -p tcp -j ACCEPT
-A INPUT -s 30.0.0.0/8 -p udp -j ACCEPT
-A INPUT -s 30.0.0.0/8 -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p udp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -j DROP
COMMIT
If I clean the firewall, all works, but why? Which ports use unbound for the queries?
Thanks,
I think that the unbound open an arbitrary udp port, how can I fix for use always the same port?
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:53 0.0.0.0:* 1152/unbound
udp 0 0 0.0.0.0:17790 0.0.0.0:* 1152/unbound
thanks,
You firewall rules would not block anything on localhost. Are you sure
unbound is running?
telnet 127.0.0.1 53 to see if you get a "connect"
Paul
Hi,
I try to put iptables in the same server that unbound but I can't do a local resolv:
dig terra.es @127.0.0.1
; <<>> DiG 9.7.3 <<>> terra.es @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reachedwhit this iptables rules:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2271:2106405]
-A INPUT -s 30.0.0.0/8 -p tcp -j ACCEPT
-A INPUT -s 30.0.0.0/8 -p udp -j ACCEPT
-A INPUT -s 30.0.0.0/8 -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p udp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -j DROP
COMMITIf I clean the firewall, all works, but why? Which ports use unbound for the queries?
As far as I can see, you haven't enabled the connection tracking about
"established" UDP "connections" (because you only used tcp). Yeah,
UDP is not a connection oriented protocol, but still connection tracking of
netfilter builds some kind of conntrack entries on UDP connections as well.
Also, some kind of answers can be even icmp messages, which won't be enabled
either if you restrict your netfilter rules do only do RELATED,ESTABLISHED
states for TCP and not for other protocols.
Try:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
So, without specifying "tcp", then it will work for the other cases as well,
what I mentioned.
Also, before DROP, you can have this:
-A INPUT -j LOG --log-prefix "netfilter-drop: "
Then use command dmesg (or your kernel log) about messages. Maybe you can
use ULOG target as well (with --ulog-prefix then, though) but in that case
you should use something which can log using netlink sockets (if I remember
correctly by heart) eg ulogd daemon.
What can I guess: if you query your unbound on localhost it won't be
restirected by your rules, but maybe your unbound want to use UDP to query
authoritative nameservers using UDP, and the answers for those could be
blocked by your rules.
Just some hints, I can be wrong here ...
You really don’t want to do that. Lookup up and read about Kaminsky DNS bug.
Ondřej Surý
Finally i forgot this line in my firewall rules:
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
Thanks for all,