|
|
Sponsored Content
Operating Systems
Linux
LINUX 9 IPTABLES and DNS
Post 64768 by frankkahle on Wednesday 2nd of March 2005 10:34:40 AM
03-02-2005
|
|
10 More Discussions You Might Find Interesting
1. IP Networking
I really need help here.
I am trying to sort out dns on a linux machine, but no matter what i do it just doesnt seem to work. I am sorting out dns for a domain, but even after putting the entries in /etc/named.boot for the localhost nslookup to work, referencing the correct file in /var/named -... (4 Replies)
Discussion started by: alwayslearningunix
4 Replies
2. UNIX for Dummies Questions & Answers
I'm very new to all of this, so I apologize in advance if my post comes off incoherent, or terms aren't used correctly :rolleyes:
Using Fedora Core 2, I set up am internal DNS name server. After setting up the named.conf, and the localhost files I was able to correctly resolve my host name... (3 Replies)
Discussion started by: skeet23
3 Replies
3. UNIX for Advanced & Expert Users
I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions?
ETH1 is my outside facing Interface, ETH0 is my inside facing interface.
Accept If input interface is not eth1
Accept If protocol is... (1 Reply)
Discussion started by: frankkahle
1 Replies
4. UNIX for Advanced & Expert Users
I have set up a linux (red hat 9) box as my main internet router. I am also running a DNS server on it. What are the rules i have to implement to allow DNS queries through the firewall from outside so that the outside world can see my domains? (1 Reply)
Discussion started by: frankkahle
1 Replies
5. UNIX for Advanced & Expert Users
I'd like to get some opnions on choosing DNS server:
Windows DNS vs Linux BIND comparrsion:
1) managment, easy of use
2) Security
3) features
4) peformance
5) ??
I personally prefer Windows DNS server for management, it supports GUI and command line. But I am not sure about security... (2 Replies)
Discussion started by: honglus
2 Replies
6. Red Hat
Dear members,
I am trying to set up a simple DNS but the problem is that when I ping the name of the IP address in the Reverse file, it does not recognise it. My code are as follows:
Note that my IP address is 172.22.45.237.
In my /etc/named.conf file, I have added the following lines
... (10 Replies)
Discussion started by: shakshakshuk
10 Replies
7. Red Hat
Hi , I have configured OEL 5.3 server on VMware server,installation went fine, however when i am checking host using configured /etc/hosts i am getting following error let me know where it went wrong .
I had disabled firewall options and SELLinux.
root@oen11g ~]# host oen11g.grid.com
;;... (2 Replies)
Discussion started by: autoconfig
2 Replies
8. IP Networking
Can someone help with a detail step-by-step oh how to configure DNS server on Linux Server.
-
I need to have 3 IP addresses map to a single hostname.
for clients
I'm a Linux rookie.
Thanks
Oscar (1 Reply)
Discussion started by: FrankOscar
1 Replies
9. Red Hat
Hi,
I have a newly built RHEL5 OS that is unable to talk to the DNS server. I am unable to telnet resolv.conf entry over port 53 but apparently this port has been opened.
# telnet 209.212.96.1 53
and.....
# dig www.google.com
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>>... (9 Replies)
Discussion started by: Duffs22
9 Replies
10. Red Hat
I built the new linux server. And i want to add it to DNS. Please help me how to do this !!!
thanks in advance ! :) (6 Replies)
Discussion started by: abhay1983
6 Replies
LEARN ABOUT OPENSOLARIS
ipfilter-defs
IPFILTER-DEFS(5) File Formats Manual IPFILTER-DEFS(5) NAME
/etc/netscript/ipfilter-defs - netscript ipfilter-defs compile definitions directory. DESCRIPTION
This manual page documents briefly the compile definition files that are used by the netscript-compile(8) command from the netscript router/firewall network configuration package. This compiler creates a compiled iptables rules file in /etc/netscript/ipfilter-defs.conf (it is a shell script portion) that is sourced by the netscript netscript(8) command to configure the iptables(8) firewall rules in the kernel. STARTUP COMPILATION
The rules can be compiled and automatically loaded on boot by setting the IPV4_CONFIGURE_SWITCH switch in network.conf(5) to the value of the function used to configure the kernel. Net-compile(8) creates this function as Configure. If this switch is set, the netscript startup will run netscript-compile(8) to make sure everything is up to date and load the rules from /etc/netscript/ipfilter-defs.conf, and the relevant settings in network.conf(5) which are used to establish packet grooming and configure the built in kernel netfilter INPUT and FORWARD chains in the filter table. If compilation fails, the previous rule set is not replaced and it is used instead. See the netscript(8) manpage to see how to load and use backup copies of the rule set. CHAIN STRUCTURE
Each chain in the iptables(8) filter table is set up by a corresponding coonstruction function of the same name as the chain. The chains are laced into the iplcl (which is laced in to the INPUT chain) and ipfwd (laced into FORWARD) chains respectively, and the forwarding con- trol chains are set up to take traffic in both directions, with the destination network/interface and source network/interface being used in the lacing chain, and network protocol and port being tied down in each specific chain. For the new in kernel Linux IPSEC, traffic to and from the VPN can be controlled via the iptables policy match module, if you have it patched and compiled into your kernel and iptables. Future versions of the kernel and iptables should have this included in the distrib- uted source. FILE STRUCTURE
All the files defining the rules set are in the /etc/netscript/ipfilter-defs directory. The network-defs file is used to define the regions and network blocks used in the rest of the rules. The prototypes-defs file is used to define protoype rules that can be referenced elsewhere in the rule set. The prototypes.sh file is used to construct shell functions for the netscript-compile(8) command that can be used in the definitions files. DNAT and SNAT are set up in the dnat-defs and masq-defs files respectively. Any file ending in .def is taken as general rule set input for netscript-compile(8). The files generally take the form of tables, with the columns tab or space seperated. The '#' character is supported for commenting, and comments can be on a line by themselves, or at the end of a configuration line. Everything after the '#' is treated as a comment by the netscript-compile(8) compiler. RULE STRUCTURE
The structure of the rule sets is thus. Each chain is started by calling a shell compilation function, (generally ipv4_compile_chain) to create the chain, with the chain name and source/destination regions as arguments, and each rule in the chain by starting a fresh line with the chain name in the first column. Regions are defined as network interface tuples, and are set up in network-defs. They are syntactically the same as shell script vari- ables, and are used the same way in the .def rule set files. Technically this magic is achieved by using eval within the netscript-com- pile(8) shell script. Any interface name can have either of the keywords =clear or =ipsec tied to them by using the `=' character on the end of the interface name. This is used to specifically match IPSEC traffic, or non-IPSEC traffic going over the interface. Typically you would use this when defining a region, though the syntax is valid elsewhere as well. It is recommended that you use this feature to prevent packet injection from adjacent external sources when setting up iptables rules for VPN tunnel traffic. The regions are given as arguments to the compilation function, with the region always being 2 arguments in network/interface order to the function. Each chain rule in the chain is defined by giving first of all the chain name, then the rule type, and its direction. All columns after the 3rd one are specific to and are defined by the rule type. The direction may have a '-' in it. The rules produced by the compiler use the iptables connection based state tracking. Packet by packet rules will be added later. EXAMPLE
Here is an example of part of a .def file: # Access from Office to internet # - only allow outgoing tcp and UDP # and ping traffic - anything else is most # like a tunneling protocol. # We have VPNs for tunneling ipv4_compile_chain -p 90 offcInet droplog $OFFICE_REGN $INTERNET_REGN offcInet ACCEPT_EST BOTH offcInet ACCEPT_PING L2R offcInet ACCEPT_TCP L2R 1:65535 offcInet ACCEPT_UDP L2R 1:65535 The ACCEPT_EST line accepts packets for ESTABLISHED and RELATED connections to the new ones already accepted. New connections are accepted by the ACCEPT_PING, ACCEPT_TCP, and ACCEPT_UDP rules. Please see the iptables(8) manpage for the details on stateful filtering. COMPILE FUNCTIONS
Unless a function is defined in prototypes.sh, there is only one function provided. However this is not limiting as there is a facility for rule macros, as well as the ability to tell the function to use one of the default base rule sets. If you do define a function in prototypes.sh, be careful to handle all errors to function and command calls as otherwise netscript-com- pile(8) will break, as it runs with set -e set. The only defined compile function for IPv4 is: ipv4_compile_chain [-i] [-n] [-b base-chain] [-p priority] [-s slave-chain] <chain-name> <default-target> <from-net> <from-if> [<to-net> <to-if>] You can see the source region and destination region on the end of it. The default-target is one of RETURN, DROP, droplog, or log. The options to this function are as follows: -i Create an input chain for attaching to iplcl instead of the default forward chain for attaching to ipfwd. -n Don't lace the chain into iplcl or ipfwd. -b base-chain Specify an alternate ruleset chain to use. -s slave-chain Configure/deconfigure this chain as well as the one specified. Useful for adjusting input rule set when manipulating the access chain for an IPsec VPN. -p priority Specify the priority of the chain in the lacing rule set. Priority is between 00 and 99, with 00 at the top of the lacing chain, and 99 at the bottom. This is useful for making sure that host specific rule sets occur before more general network related ones, and for putting Internet related ones at the bottom of the lacing chain. DIRECTION STATEMENTS
The direction is as per FreeS/WAN - it uses left and right terminology. The possible directions are as follows: L2R|LEFT2RIGHT|INTERNAL2EXTERNAL|INTERN2EXTERN|I2E|INT2EXT Left to Right, Internal to External R2L|RIGHT2LEFT|EXTERNAL2INTERNAL|EXTERN2INTERN|E2I|EXT2INT Right to Left, External to Internal BOTH|- Both directions, aka none or '-'. AVAILABLE CHAIN RULES
Here are the valid chain rules, and the arguments they expect. COMMENT [word1] [word2] ... Insert a comment into the compile shell script. Fill the 3rd column direction in with '-'. MACRO <macro-name> Specify a macro rule set. Rule set must name start with `MACRO_'. Direction again should be `-'. LOG [word1] [word2] ... Insert a logging rule using the given log meesage, or if none given, using the curretlog message for the chain. LOG_MSG [word1] [word2] ... Set the log message for the chain away from the default of `Chain: <chain-name>' or from previous LOG_MSG setting. Up to 26 letters can be used until truncation limit is reached. RESET_LOG_MSG Reset log message to the default of `Chain: <chain-name>'. REJECT_SMB Jump to smb control chain. Creates smb chain if it does not already exist. DROP_MARTIANS Jump to martian source address control chain. Creates chain if it does not already exist. LOG_PORTSCAN Use the psd module to detect and log portscans. Creates portscan log chain (if not already there) which puts `PORTSCAN DETECTED - ' in the log. DROP_BROADCAST Drop ethernet broadcast packets. LOG_BROADCAST Log ethernet broadcast packets with the current log messages for the chain. ACCEPT_EST Accept ESTABLISH,RELATED packets via the iptables(8) state module. ACCEPT_RELATED Accept RELATED packets via the iptables(8) state module. Useful for ICMP type 3 packets used for maximum MTU detection. ACCEPT_PROTO <protocol> Accept NEW connections for a protocol. Accepts one argument in the 4th column which is the protocol name from /etc/protocols or the protocol number between 0 and 255. REJECT_PROTO <protocol> Reject NEW connections for a protocol with ICMP reject packets. Accepts one argument in the 4th column which is the protocol name from /etc/protocols or the protocol number between 0 and 255. DROP_PROTO <protocol> Drop all packets for a protocol with nothing in reply. Accepts one argument in the 4th column which is the protocol name from /etc/protocols or the protocol number between 0 and 255. LOG_PROTO <protocol> Log NEW connections for a protocol with the current log message for the chain. Accepts one argument in the 4th column which is the protocol name from /etc/protocols or the protocol number between 0 and 255. ACCEPT_TCP [src-port-range] <dst-port-range> Accept NEW TCP connections. If one argument given, it is the destinaion port (range). If 2 arguments, the first is the source port (range), and second the destination port (range). Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. REJECT_TCP [src-port-range] <dst-port-range> Reject NEW TCP connections with an ICMP REJECT packet. If one argument given, it is the destination port(range). If 2 arguments, the first is the source port (range), and second the destination port (range). Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. DROP_TCP [src-port-range] <dst-port-range> Drop all tcp packets, returning nothing at all. If one argument given, it is the destinaion port (range). If 2 arguments, the first is the source port (range), and second the destination port (range). Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. LOG_TCP [src-port-range] <dst-port-range> Log NEW TCP connections with the current log text for the chain. If one argument given, it is the destination port(range). If 2 arguments, the first is the source port (range), and second the destination port (range). Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. ACCEPT_UDP [src-port-range] <dst-port-range> Accept NEW UDP connections. If one argument given, it is the destinaion port (range). If 2 arguments, the first is the source port (range), and second the destination port (range). Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. REJECT_UDP [src-port-range] <dst-port-range> Reject NEW UDP connections with an ICMP REJECT packet. If one argument given, it is the destination port(range). If 2 arguments, the first is the source port (range), and second the destination port (range). Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. DROP_UDP [src-port-range] <dst-port-range> DROP all UDP packets, returning nothing at all. If one argument given, it is the destinaion port (range). If 2 arguments, the first is the source port (range), and second the destination port (range). Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. LOG_UDP [src-port-range] <dst-port-range> Log NEW UDP connections with the current log message for the chain. If one argument given, it is the destination port(range). If 2 arguments, the first is the source port (range), and second the destination port (range). Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. ACCEPT_PING Accept ICMP type 8 echo request packets for network diagnosis. DROP_PING Drop ICMP type 8 packets with no reply. LOG_PING Log an ICMP echo request with the current log message for the chain. ACCEPT_TCP_NET [src_network [src-port-range]] <dst-network> <dst-port-range> Accept NEW TCP connections from given source (optional) to destination. Network is given in IPv4 address/netmask or address/masklen format. Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. REJECT_TCP_NET [src_network [src-port-range]] <dst-network> <dst-port-range> Reject NEW TCP conections with an ICMP reject packet which come from a given source (optional), going to given destination. Network is given in IPv4 address/netmask or address/masklen format. Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. DROP_TCP_NET [src_network [src-port-range]] <dst-network> <dst-port-range> Drop all TCP packets which come from a given source (optional), going to given destination. Network is given in IPv4 address/net- mask or address/masklen format. Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. LOG_TCP_NET [src_network [src-port-range]] <dst-network> <dst-port-range> Log all NEW TCP connections from given source (optional) to destination, with the current log message for the chain. Network is given in IPv4 address/netmask or address/masklen format. Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. ACCEPT_UDP_NET [src_network [src-port-range]] <dst-network> <dst-port-range> Accept NEW UDP connections from given source (optional) to destination. Network is given in IPv4 address/netmask or address/masklen format. Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. REJECT_UDP_NET [src_network [src-port-range]] <dst-network> <dst-port-range> Reject NEW UDP conections with an ICMP reject packet which come from a given source (optional), going to given destination. Network is given in IPv4 address/netmask or address/masklen format. Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. DROP_UDP_NET [src_network [src-port-range]] <dst-network> <dst-port-range> Drop all UDP packets which come from a given source (optional), going to given destination. Network is given in IPv4 address/net- mask or address/masklen format. Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. LOG_UDP_NET [src_network [src-port-range]] <dst-network> <dst-port-range> Log all NEW UDP connections from given source (optional) to destination, with the current log message for the chain. Network is given in IPv4 address/netmask or address/masklen format. Port ranges are specified by separating them with a `:' character, and ports must be in the /etc/services file, or a number between 0 and 65535. ACCEPT_IFACE <interface> Accept all incoming NEW connections from an incoming interface. REJECT_IFACE <interface> Reject all incoming NEW conections with an ICMP reject packet, from an interface. DROP_IFACE <interface> Drop all incoming packets from an interface. LOG_IFACE <interface> Log all incoming NEW conections from an interface. ACCEPT_NET <network> Accept all NEW connections from network. Network is given in IPv4 address/netmask or address/masklen format. REJECT_NET <network> Reject all NEW conections from network with an ICMP reject packet. Network is given in IPv4 address/netmask or address/masklen for- mat. DROP_NET <network> Drop all packets from network. Network is given in IPv4 address/netmask or address/masklen format. LOG_NET <network> Log all NEW conections from network. Network is given in IPv4 address/netmask or address/masklen format. FILES
/etc/netscript/ipfilter-defs.conf, /etc/netscript/ipfilter-defs-compiled.conf, /etc/netscript/ipfilter-defs directory. SEE ALSO
netscript-compile(8), iptables(8), ip6tables(8), netscript(8). AUTHOR
This manual page was written by Matthew Grant <grantma@anathoth.gen.nz>, for the Debian GNU/Linux system (but may be used by others). BUGS
I wrote this manpage when I was not half asleep... Some things are missing from this manpage... Dnat documentation is missing but obvious from configuration file. SNAT documentation is missing but obvious from configuration file. March 25, 2003 IPFILTER-DEFS(5)