iptables Blocking DNS
I noted in my log that iptables is blocking DNS, including from resolver2.dallas.linode.com. This seems odd to me, but I must have gotten it from tutorial on here. The server has been running for 8 months with no noticable issues. Does anyone else have their iptables setup like this? What are the pros and cons of this setup? Thank you so much.
kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91:ae:bd:2b:c8:4c:75:f5:c4:ff:08:00 SRC=72.14.188.5 DST=96.126.122.2xx LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=7355 PROTO=UDP SPT=53 DPT=57572 LEN=52
5 Replies
Does DNS actually work on your linode?
Assuming you have a rule something like:
iptables -A OUTPUT -s 96.126.122.2xx/32 -p udp -m udp –dport 53 -m state --state NEW -j ACCEPT
The reply should have been accepted by a rule like:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
But it wasn't.
Show us your iptables rules.
Thanks for the info and for looking. DNS seems to be working, I am running some sites without problems. My iptables are below.
Thanks!
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:10000
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- 200.159.40.31 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain fail2ban-ssh (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5745K 1457M fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
5735K 1457M fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
12M 3309M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- !lo * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
17M 3491M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1063K 60M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
400 20796 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
51774 3073K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
571 35242 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
3226 189K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
40472 2937K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
45660 3421K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 200.159.40.31 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
26M 20G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (2 references)
pkts bytes target prot opt in out source destination
11M 2913M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Thanks.
I'd use the following as the OUTPUT rule:
iptables -A OUTPUT -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
But this accepts all outgoing traffic which is bad practice on a secure system. The right ( i.e. paranoid ) way to do it is to block everything then explicitly allow legitimate traffic as specifically as possible.
I don't think you should be blocking incoming ICMP the way you are. There are other useful things that are sent with ICMP other than ping.
Personally I would not use fail2ban as I don't think that it adds security to SSH and won't help much if you do something really dumb like use dictionary word passwords in any case. This has been discussed before on here and others disagree with me.