Topic: dns not working & ipchain

[Thierry Bucco]

Hi,

I am "playing" with ipchain.  Here is my script to configure it.

*************************
#!/bin/bash
################################################
#  Fill in the values below to match your
#  local network.

PRIVATENET=192.168.1.0/24

PUBLIC=ppp0
PRIVATE=eth0

# your dns servers
DNS1=193.252.19.3
DNS2=193.252.19.4

################################################

# some handy generic values to use
ANY=0.0.0.0/0
ALLONES=255.255.255.255

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# See how we are called
case "$1" in

  start)
        # Start providing access
        action "Demarrage du Firewall: " /bin/true

        ##
        ## Setup Envirement
        ##
        # Flush all lists
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward

        # Plug up everything
        /sbin/ipchains -I input 1 -j DENY

        # set policy to deny (Default is ACCEPT)
        /sbin/ipchains -P input DENY
        /sbin/ipchains -P output ACCEPT
        /sbin/ipchains -P forward ACCEPT

        # set masquerade timeout to 10 hours for tcp connections
        /sbin/ipchains -M -S 36000 0 0
   
        # Turn on packet forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward

        ##
        ## Install Modules
        ##
        # Insert the active ftp module.  This will allow non-passive ftp to machines
        # on the local network (but not to the router since it is not masq'd)
        if ! ( /sbin/lsmod | /bin/grep masq_ftp > /dev/null ); then
            /sbin/insmod ip_masq_ftp
        fi

        ##
        ## Some Security Stuff
        ##
        # turn on Source Address Verification and get spoof protection
        # on all current and future interfaces.
        if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
            for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 1 > $f
            done
        else
            echo
            echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED."
            echo
        fi

        # deny bcasts on remaining interfaces
        /sbin/ipchains -A input -d 0.0.0.0 -j DENY
        /sbin/ipchains -A input -d 255.255.255.255 -j DENY

        # deny these without logging 'cause there tend to be a lot...
        #/sbin/ipchains -A input -p udp -d $ANY 137 -j DENY   # NetBIOS over IP
        #/sbin/ipchains -A input -p tcp -d $ANY 137 -j DENY   #   ""
        #/sbin/ipchains -A input -p udp -d $ANY 138 -j DENY   #   ""
        #/sbin/ipchains -A input -p tcp -d $ANY 138 -j DENY   #   ""
        /sbin/ipchains -A input -p udp -d $ANY 67 -j DENY    # bootp
        /sbin/ipchains -A input -p udp -d $ANY 68 -j DENY    #   ""
        /sbin/ipchains -A input -s 224.0.0.0/8 -j DENY       # Multicast addresses

        # Redirect port 80 on 3128 for proxy - squid
               
        /sbin/ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d 192.168.1.1/32 80
     /sbin/ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d 127.0.0.1/32
     /sbin/ipchains -A input -j REDIRECT 3128 -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0 80

        ##
        ## Allow private network out
        ##
        # allow all packets on the loopback interface
        /sbin/ipchains -A input -i lo -j ACCEPT

        # allow all packets from the internal "trusted" interface
        /sbin/ipchains -A input -i $PRIVATE -s $PRIVATENET -d $ANY -j ACCEPT
        /sbin/ipchains -A input -i $PRIVATE -d $ALLONES -j ACCEPT

        ##
        ## Allow Outside Services into the firewall (if you dare)
        ##
        # allow ICMP
        #/sbin/ipchains -A input -p icmp -j ACCEPT
        # allow TCP
        /sbin/ipchains -A input -p tcp ! -y -j ACCEPT

        # allow lookups to DNS (on firewall)
        /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY 1023: -j ACCEPT
        /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY 1023: -j ACCEPT
       
        # or (BETTER IDEA) run a caching DNS server on the router and use the
        # following two lines instead...
        # /sbin/ipchains -A input -p udp -s $DNS1 domain -d $ANY domain -j ACCEPT
        # /sbin/ipchains -A input -p udp -s $DNS2 domain -d $ANY domain -j ACCEPT

        # uncomment the following to allow ssh in
        /sbin/ipchains -A input -p tcp -d $ANY 22 -j ACCEPT

        # uncomment the following to allow telnet in (BAD IDEA!!)
        #/sbin/ipchains -A input -p tcp -d $ANY telnet -j ACCEPT

        # uncomment to allow NTP (network time protocol) to router
        # /sbin/ipchains -A input -p udp -d $ANY ntp -j ACCEPT

        # uncomment to allow SMTP in (not for mail clients - only a server)
        #/sbin/ipchains -A input -p tcp -d $ANY smtp -j ACCEPT

        # uncomment to allow POP3 in (for mail clients)
        #/sbin/ipchains -A input -p tcp -d $ANY 110 -j ACCEPT

        # allow auth in for sending mail or doing ftp
        #/sbin/ipchains -A input -p tcp -d $ANY auth -j ACCEPT

        # uncomment to allow HTTP in (only if you run a web server on the router)
        #/sbin/ipchains -A input -p tcp -d $ANY http -j ACCEPT

        # uncomment to allow FTP in
        #/sbin/ipchains -A input -p tcp -d $ANY ftp -j ACCEPT

        ##
        ## Masquerading stuff
        ##
        # masquerade packets forwarded from internal network
        /sbin/ipchains -A forward -s $PRIVATENET -d $ANY -j MASQ

        ##
        ## deny EVERYthing else and log them to /var/log/messages
        ##
        /sbin/ipchains -A input -l -j DENY

        # Remove the Plug
        /sbin/ipchains -D input 1

        ;;

  stop)
        action "Arret du Firewall: " /bin/true
        echo 0 > /proc/sys/net/ipv4/ip_forward
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward

        echo
        ;;

  restart)
        action "Redemarrage du Firewall: " /bin/true
        $0 stop
        $0 start

        echo
        ;;

  status)
        # List out settings
        /sbin/ipchains -L
        ;;

  test)
        ##
        ## This is about as simple as it gets
        ##    (This is not secure AT ALL)
        action "WARNING Test Firewall: " /bin/true
        /sbin/ipchains -F input
        /sbin/ipchains -F output
        /sbin/ipchains -F forward
        echo 1 > /proc/sys/net/ipv4/ip_forward
        /sbin/ipchains -A input -j ACCEPT
        /sbin/ipchains -A output -j ACCEPT
        /sbin/ipchains -P forward DENY
        /sbin/ipchains -A forward -i $PUBLIC -j MASQ

        echo
        ;;

  *)
        echo "Usage: $0 {start|stop|restart|status|test}"
        exit 1

esac
*********************************

But the problem is a dns problem.
I am unable to do ping or traceroute and squid tell me that there is a dns error.

How can I fix the problem ?

If I don't use this script all works fine.

Thanks for your help.

Thierry

[Steve]

Where is this script located on e-smith?  I assume that is your modified version, and I know that I need to create a template to edit it.  I would like to modify IPCHAINS too.  Do you happen to know where the command for masq'ing is located?  (If I remember correctly, IPCHAINS handles that?)

As for your problem, can you get DNS from the shell?  That would tell you if there is a problem with DNS being blocked to the internal network or if it's being blocked at the server also.  (I believe it will access DNS directly on the server and not use an internal IP)

Steve

[Thierry Bucco]

Hi ,

Thanks for your answer (steve).

In fact, my shell script is launched at boot time, because I don't know how
to create a template in order to edit it, is there a better way to change
firewall rules ?

For masq'ing, I don't know where it is located (I'm a newbie with
firewall...)

I Presume I can't get DNS from the shell, because when I do "ping
www.apple.com" i get this error : "unknown host www.apple.com".

I use my provider DNS : 193.252.19.2

But all works fine if don't set these new rules.

What must I do ?

Thanks.

Thierry