Blocking DNS addresses from general use
der.hans
PLUGd@LuftHans.com
Tue, 21 Mar 2000 01:29:38 -0700 (MST)
On Mon, 20 Mar 2000, Stephen Smith wrote:
> I want to accept DNS server use from a range of IP addresses. How do I do that?
>
> I tried using IPChains - accepting from certain subnets and denying everyone else.
> But that blocked the lookups from the other servers.
# Undefine LOCALNET if there is no network card
LOCALNET=10.1.1.0
INTIP=10.1.1.96
EXTIP=192.168.1.90
# Find out what nameservers we use
NAMESERVERS=`awk '($1 ~ "nameserver") {print $2}' < /etc/resolv.conf`
if [ -z "$NAMESERVERS" ]
then
ipchains -A ext-in -j ACCEPT -p TCP -d 0/0 53
ipchains -A ext-in -j ACCEPT -p UDP -d 0/0 53
else
for NAMESERVER in ${NAMESERVERS} ; do
ipchains -A ext-in -j ACCEPT -p TCP -s $NAMESERVER -d $EXTIP 53
ipchains -A ext-in -j ACCEPT -p UDP -s $NAMESERVER -d $EXTIP 53
done
fi
# for internal use of dns services
ipchains -A int-in -j ACCEPT -p TCP -s $LOCALNET/24 -d $INTIP 53
ipchains -A int-in -j ACCEPT -p UDP -s $LOCALNET/24 -d $INTIP 53
# ext-in is the input chain for the external interface
# int-in is the input chain for the internal interface
Don't forget the dns stuff that Mike suggested as well.
If you throw a "-l" on the end of all of the above ipchains commands you
should see ACCEPTs in the logs when queries are made. Also don't forget
that dns queries to port 53 in both TCP and UDP from either above 1023 or
from port 53.
ciao,
der.hans
--
# +++++++++++=================================+++++++++++ #
# der.hans@LuftHans.com www.excelco.com #
# http://home.pages.de/~lufthans/ #
# I'm not anti-social, I'm pro-individual. - der.hans #
# ===========+++++++++++++++++++++++++++++++++=========== #