Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables & port 53 (DNS)
Operating Systems Linux Red Hat iptables & port 53 (DNS) Post 302625173 by Duffs22 on Tuesday 17th of April 2012 11:02:44 AM
Old 04-17-2012
No "-S" option on RHEL5. I've listed the tables instead:

Code:
# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  41.181.59.120/29     209.212.96.1        state NEW udp dpt:53 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53

R,
D.
 

10 More Discussions You Might Find Interesting

1. IP Networking

Resolving port 8080 in DNS

Hi I have my DNS servers (BIND 8) running on two Solaris 8 boxes. I need to be able to resolve an address blah.xxx.net to an IP address followed by :8080 - (for Tomcat). I tried doing this in my zone file but it failed. Can someone give me a pointer on where this configuration should be done?... (1 Reply)
Discussion started by: korfnz
1 Replies

2. UNIX for Advanced & Expert Users

LINUX 9 IPTABLES and DNS

I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions? ETH1 is my outside facing Interface, ETH0 is my inside facing interface. Accept If input interface is not eth1 Accept If protocol is... (1 Reply)
Discussion started by: frankkahle
1 Replies

3. Linux

LINUX 9 IPTABLES and DNS

I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions? ETH1 is my outside facing Interface, ETH0 is my inside facing interface. Accept If input interface is not eth1 Accept If protocol... (6 Replies)
Discussion started by: frankkahle
6 Replies

4. UNIX for Dummies Questions & Answers

FTP, DNS & BIND

Hi GURUs, I have two queries. 1)I know I can use FTP clients for my File transfer needs, but I want to learn FTP thru command line, any one can point me to some good online resource available to learn FTP command line with examples, of course free except UNIX man pages. 2) Our company has... (4 Replies)
Discussion started by: patras
4 Replies

5. Solaris

OS Problems -no DNS & SSH not working

I just installed Solaris 6/10 without any problems but I didn't connect the network cable when I installed it. Here are my problems: -I can access webpages using IP addrsses but not with domain names -ssh is installed but it is not running ('ps -e | grep sshd' didn't show it) I have been... (4 Replies)
Discussion started by: kungpow
4 Replies

6. UNIX for Dummies Questions & Answers

DNS & DHCP configuration

Hi to all. Sorry for my bad english. For pure self-educational, not professional, purposes, I am studying how to configure a server with several services operating on it. For my experiment I'm using VirtualBox 3.1.4 on a WinXP host with 3 FreeBSD guests; one acts as a DHCP + DNS server; the... (0 Replies)
Discussion started by: marboxer
0 Replies

7. Solaris

Bind9 DNS on Solaris 10 x4270 & CPU usage

I have configured a Bind9 DNS on a X4270 machine with Solaris10 I am excuting some repformance tests with DNSPERF tool and maximun CPU usage is 23%. I have seen with prstat -L -p PID that named process usses only 2 of the 8 available CPU at the same time although threads for all CPUs exist.... (2 Replies)
Discussion started by: parisph
2 Replies

8. Red Hat

DHCP & DNS - Clients get IP but don't register in DNS

I am trying to setup a CentOS 6.2 server that will be doing 3 things DHCP, DNS & Samba for a very small office (2 users). The idea being this will replace a very old Win2k server. The users are all windows based clients so only the server will be Linux based. I've installed CentOS 6.2 with... (4 Replies)
Discussion started by: FireBIade
4 Replies

9. IP Networking

OS X & VPN DNS Issue

I'll try and be brief and detailed. I have a Macbook Pro Retina running Mavericks. When on my network at the office (work) everything local works just fine. Local servers are resolved through our internal DNS settings. For example, we have a fileserver at "fs01". I can connect to it with... (1 Reply)
Discussion started by: jbhardman
1 Replies

10. Linux

Domain registrars & DNS servers

I have read many tutorials on bind and i understand the A,MX, CNAME records. Internally, on a LAN we can install bind and create all these records and we can tell all PC and servers to use this bind as DNS server.that's fine. On the Internet, when we have purchased a valid domain like... (5 Replies)
Discussion started by: coolatt
5 Replies

LEARN ABOUT DEBIAN

knockd

knockd(1)																 knockd(1)

NAME

       knockd - port-knock server

SYNOPSIS

       knockd [options]

DESCRIPTION

       knockd is a port-knock server.  It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-
       hits.  A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server.	This port need not be open -- since knockd
       listens	at the link-layer level, it sees all traffic even if it's destined for a closed port.  When the server detects a specific sequence
       of port-hits, it runs a command defined in its configuration file.  This can be used to open up holes in a firewall for quick access.

COMMANDLINE OPTIONS

       -i, --interface <int>
	      Specify an interface to listen on.  The default is eth0.

       -d, --daemon
	      Become a daemon.	This is usually desired for normal server-like operation.

       -c, --config <file>
	      Specify an alternate location for the config file.  Default is /etc/knockd.conf.

       -D, --debug
	      Ouput debugging messages.

       -l, --lookup
	      Lookup DNS names for log entries. This may be a security risk! See section SECURITY NOTES.

       -v, --verbose
	      Output verbose status messages.

       -V, --version
	      Display the version.

       -h, --help
	      Syntax help.

CONFIGURATION

       knockd reads all knock/event sets from a configuration file.  Each knock/event begins with a title marker, in the form [name],  where  name
       is the name of the event that will appear in the log.  A special marker, [options], is used to define global options.

       Example #1:
	      This example uses two knocks.  The first will allow the knocker to access port 22 (SSH), and the second will close the port when the
	      knocker is complete.  As you can see, this could be useful if you run a very restrictive (DENY policy) firewall and  would  like	to
	      access it discreetly.

	      [options]
		   logfile = /var/log/knockd.log

	      [openSSH]
		   sequence    = 7000,8000,9000
		   seq_timeout = 10
		   tcpflags    = syn
		   command     = /usr/sbin/iptables -A INPUT -s %IP% -j ACCEPT

	      [closeSSH]
		   sequence    = 9000,8000,7000
		   seq_timeout = 10
		   tcpflags    = syn
		   command     = /usr/sbin/iptables -D INPUT -s %IP% -j ACCEPT

       Example #2:
	      This  example  uses  a single knock to control access to port 22 (SSH).  After receiving a successful knock, the daemon will run the
	      start_command, wait for the time specified in cmd_timeout, then execute the stop_command.  This is useful to automatically close the
	      door behind a knocker.  The knock sequence uses both UDP and TCP ports.

	      [options]
		   logfile = /var/log/knockd.log

	      [opencloseSSH]
		   sequence	 = 2222:udp,3333:tcp,4444:udp
		   seq_timeout	 = 15
		   tcpflags	 = syn,ack
		   start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn -j ACCEPT
		   cmd_timeout	 = 5
		   stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn -j ACCEPT

       Example #3:
	      This  example doesn't use a single, fixed knock sequence to trigger an event, but a set of sequences taken from a sequence file (one
	      time sequences), specified by the one_time_sequences directive.  After each successful knock, the used sequence will be  invalidated
	      and  the	next sequence from the sequence file has to be used for a successful knock.  This prevents an attacker from doing a replay
	      attack after having discovered a sequence (eg, while sniffing the network).

	      [options]
		   logfile = /var/log/knockd.log

	      [opencloseSMTP]
		   one_time_sequences = /etc/knockd/smtp_sequences
		   seq_timeout	      = 15
		   tcpflags	      = fin,!ack
		   start_command      = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 25 -j ACCEPT
		   cmd_timeout	      = 5
		   stop_command       = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 25 -j ACCEPT

CONFIGURATION
: GLOBAL DIRECTIVES
       UseSyslog
	      Log action messages through syslog().  This will insert log entries into your /var/log/messages or equivalent.

       LogFile = /path/to/file
	      Log actions directly to a file, usually /var/log/knockd.log.

       PidFile = /path/to/file
	      Pidfile to use when in daemon mode, default: /var/run/knockd.pid.

       Interface = <interface_name>
	      Network interface to listen on. Only its name has to be given, not the path to the device (eg, "eth0" and not "/dev/eth0"). Default:
	      eth0.

CONFIGURATION
: KNOCK/EVENT DIRECTIVES
       Sequence = <port1>[:<tcp|udp>][,<port2>[:<tcp|udp>] ...]
	      Specify  the  sequence  of  ports  in  the  special  knock. If a wrong port with the same flags is received, the knock is discarded.
	      Optionally, you can define the protocol to be used on a per-port basis (default is TCP).

       One_Time_Sequences = /path/to/one_time_sequences_file
	      File containing the one time sequences to be used.  Instead of using a fixed sequence, knockd will read the sequence to be used from
	      that  file.   After each successful knock attempt this sequence will be disabled by writing a '#' character at the first position of
	      the line containing the used sequence.  That used sequence will then be replaced by the next valid sequence from the file.

	      Because the first character is replaced by a '#', it is recommended that you leave a space at the beginning of each line.  Otherwise
	      the first digit in your knock sequence will be overwritten with a '#' after it has been used.

	      Each  line  in  the one time sequences file contains exactly one sequence and has the same format as the one for the Sequence direc-
	      tive.  Lines beginning with a '#' character will be ignored.

	      Note: Do not edit the file while knockd is running!

       Seq_Timeout = <timeout>
	      Time to wait for a sequence to complete in seconds. If the time elapses before the knock is complete, it is discarded.

       TCPFlags = fin|syn|rst|psh|ack|urg
	      Only pay attention to packets that have this flag set.  When using TCP flags, knockd will IGNORE tcp packets that  don't	match  the
	      flags.   This is different than the normal behavior, where an incorrect packet would invalidate the entire knock, forcing the client
	      to start over.  Using "TCPFlags = syn" is useful if you are testing over an SSH connection, as the SSH traffic will  usually  inter-
	      fere with (and thus invalidate) the knock.

	      Separate	multiple  flags  with  commas  (eg,  TCPFlags  =  syn,ack,urg).  Flags can be explicitly excluded by a "!" (eg, TCPFlags =
	      syn,!ack).

       Start_Command = <command>
	      Specify the command to be executed when a client makes the correct port-knock.  All instances of %IP%  will  be  replaced  with  the
	      knocker's IP address.  The Command directive is an alias for Start_Command.

       Cmd_Timeout = <timeout>
	      Time to wait between Start_Command and Stop_Command in seconds.  This directive is optional, only required if Stop_Command is used.

       Stop_Command = <command>
	      Specify  the  command  to  be executed when Cmd_Timeout seconds have passed since Start_Command has been executed.  All instances of
	      %IP% will be replaced with the knocker's IP address.  This directive is optional.

SECURITY NOTES

       Using the -l or --lookup commandline option to resolve DNS names for log entries may be a security risk!  An  attacker  may  find  out  the
       first  port  of	a sequence if he can monitor the DNS traffic of the host running knockd.  Also a host supposed to be stealth (eg, dropping
       packets to closed TCP ports instead of replying with an ACK+RST packet) may give itself away by resolving a DNS name if an attacker manages
       to hit the first (unknown) port of a sequence.

SEE ALSO

       knock  is  the  accompanying  port-knock  client,  though  telnet or netcat could be used for simple TCP knocks instead.  For more advanced
       knocks, see hping, sendip or packit.

AUTHOR

       Judd Vinet <jvinet@zeroflux.org>

knockd 0.5							   June 26, 2005							 knockd(1)
All times are GMT -4. The time now is 08:18 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy