Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


iptables how to block all udp but allow dns lookups
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables how to block all udp but allow dns lookups

namhuynamhuy Member
edited April 2014 in Help

I was trying to block all udp first, then allow dns but it does not work. It works when I put allow dns rules first, then block all udp rules after. Is there anyway to block all udp first?

Comments

  • Me_BMe_B Member

    What about hosting your DNS on cloudflare for free. more radical but would offload your server ;-)

  • tomletomle Member, LIR
    edited April 2014

    You should allow what you want first and block the rest.

  • Me_BMe_B Member

    @tomle said:
    You should allow first what you want first and block the rest.

    Yep iptables order is key for any rules.

  • but isn't it more secure to drop all first then allow what you need?

  • @namhuy said:
    but isn't it more secure to drop all first then allow what you need?

    Before you do that; make damn sure you allow SSH.

  • @Floris said:
    Before you do that; make damn sure you allow SSH.

    As long as the walk to the data center is on a sunny day ;)

    @namhuy said:
    but isn't it more secure to drop all first then allow what you need?

    This depends on how the list is processed. Usually the first applicable entry stops it. So first you list all items you want to allow and then have a default deny entry.

  • @namhuy said:
    but isn't it more secure to drop all first then allow what you need?

    You're saying it, if you drop all of it first, how can you decide which was allowed and which wasn't? I'm not really familiar with iptables rules order but allow-drop makes more sense.

  • I always have input/output/forward chains drop on the top, then starts to allow tcp ports. What I'm trying to do is to put

    iptables -A INPUT -p udp -j DROP
    iptables -A OUTPUT -p udp -j DROP
    

    before allow dns udp port which does not work unless I put allow dns udp before drop all udp.

  • namhuynamhuy Member
    edited April 2014

    @introducial depends on your need and what app you are running. generally for a web server, it only needs 80, 21. The more you develop your server, the more you know what you need to open.

  • @namhuy said:
    I always have input/output/forward chains drop on the top, then starts to allow tcp ports. What I'm trying to do is to put

    iptables -A INPUT -p udp -j DROP
    iptables -A OUTPUT -p udp -j DROP
    

    before allow dns udp port which does not work unless I put allow dns udp before drop all udp.

    That's how iptables/netfilter works. It matches the first rule it finds, and in this case, it will find the "drop udp packets" rule before the one allowing a specific kind of traffic.

    The "-A" switch appends the rule to the bottom of the chain, while the "-I" one will add the rule to the top of the chain. Try adding your "allow udp port" rule with "-I" and see if it works for you.

  • @qrwteyrutiyoup if I use -I, it's not really different than I manually put allow udp dns rules before block all udp rules.

  • @namhuy said:
    qrwteyrutiyoup if I use -I, it's not really different than I manually put allow udp dns rules before block all udp rules.

    Exactly, and that's the point. If the rule allowing it isn't before the one denying it, it will be denied, since that will be the rule iptables will match against.

  • gracagraca Member

    just keep the default policy rules

    iptables -A INPUT -p udp -j DROP
    iptables -A OUTPUT -p udp -j DROP
    

    add these:

    iptables -A OUTPUT -p udp –dport 53 –sport 1024:65535 -j ACCEPT

    iptables -A INPUT -p udp –dport 53 –sport 1024:65535 -j ACCEPT

    hope it could help

  • @namhuy: Maybe you can accomplish what you want by changing the chain policy to drop and then allowing the traffic you want (tcp + udp53)?

  • namhuynamhuy Member
    edited April 2014

    @qrwteyrutiyoup I think I got this now :) I misunderstood iptables chain and iptables rules. Normally I have all chains drop, and allow rules under chain.

    iptables -A INPUT -p udp -j DROP
    iptables -A OUTPUT -p udp -j DROP
    

    those are rules so yeah it follows rules order :)

    BIG thanks from me :)

Sign In or Register to comment.