Re: Problem with iptables

Karl E. Jorgensen Thu, 03 May 2007 08:11:16 -0700

On Thu, May 03, 2007 at 02:26:32PM +0200, Pierguido wrote:
> I'm using Etch a server and i want to configure bind.
> After i've done everything i set up firehol (iptables parser) and
> noticed that, when firehol is on, i cannot make any request to the
> outside dns server.
>
> I checked the firehol log and i see:
> 
> May  3 14:19:54 srv-web 'OUT-unknown:' IN= OUT=eth0 MAC=
> SRC=192.168.100.2 DST=213.140.2.49 LEN=70 TOS=00 PREC=0x00 TTL=64 ID=0
> DF PROTO=UDP SPT=53 DPT=53 LEN=50


Yep - looks like an outgoing DNS query

> OUT-unknown is the default rule for the OUTPUT chain (DROP).
> 
> In my firehol setup for that interface i have these rules:
> 
>         policy drop
>         protection strong
>         server dns accept custom "--state NEW,ESTABLISHED"
>         server icmp accept
>         server http accept
>         server ftp accept
>         client all accept
> 
> This is a result of many tryings, but all without success.
> Now, as far as i can understand, it seems as the packet originated from
> my dns server is not intercepted by any rule, going then to the default
> one (DROP).

Looking at the rules, I'd concur...

> These are the rules:

[big snip]
 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination         
> ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           

Strange: With this rule as the *first* rule in the OUTPUT chain,
*everything* outgoing should be accepted, regardless of source,
destination or protocol!?

> out_lan    0    --  192.168.30.103       0.0.0.0/0           
> out_public_lan_124  0    --  192.168.100.2        0.0.0.0/0           
> out_public_lan_125  0    --  192.168.100.5        0.0.0.0/0           
> ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED 
> ULOG       0    --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec 
> burst 5 ULOG copy_range 0 nlgroup 1 prefix `'OUT-unknown:'' queue_threshold 1 

And yet your log entry appears to be the result of this rule...

> DROP       0    --  0.0.0.0/0            0.0.0.0/0           
 
Are you 100% sure that these were the rules in effect at the time of the
log entry? It's not making sense ...

-- 
Karl E. Jorgensen
[EMAIL PROTECTED]  http://www.jorgensen.org.uk/
[EMAIL PROTECTED]     http://karl.jorgensen.com
==== Today's fortune:
Things worth having are worth cheating for.

signature.asc
Description: Digital signature

Re: Problem with iptables

Reply via email to