# Problems with IPTABLES and DNS

## warriorforGod

I have a gentoo box set up serving as a firewall/gateway/router for my network.  I am also running DHCP and DNS on this box for the nework.  eth0 is the card for my internal network, and eth1 is connected to the outside world.  When I use the following iptables rules the gentoo box itself can get to the outside world, however none of the internal boxes can resolve anything through DNS.   The following Items show up in the logs when I turn on these rules.  Any help to get this working is appreciated in advance.

```

Jun  9 08:35:21 thegatekeeper kernel: [315817.488161] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.190.178.129 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47392 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.488232] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.175.196.129 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47393 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.488776] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=24.252.60.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47394 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.488834] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.187.4.161 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47395 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.488909] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.186.246.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47396 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.488972] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.175.197.193 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47397 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.489774] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.188.36.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47398 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.489850] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=10.106.252.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47399 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.489921] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.179.50.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47400 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.489990] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.188.201.97 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47401 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.490061] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.188.208.33 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47402 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.490129] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.188.208.161 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47403 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.490424] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=174.69.80.9 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47404 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.490496] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=70.182.207.129 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47405 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.490747] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=98.188.209.193 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47406 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.491273] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=174.69.85.17 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47407 PROTO=2 

Jun  9 08:35:21 thegatekeeper kernel: [315817.491343] INPUT_DROP_DEFAULT IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:30:b8:ce:82:a0:08:00 SRC=174.78.68.97 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=47408 PROTO=2 

Jun  9 08:35:24 thegatekeeper kernel: [315820.171588] INPUT_DROP_DEFAULT IN=eth0 OUT= MAC=00:10:4b:1f:45:6e:00:12:17:e2:53:fc:08:00 SRC=192.168.1.127 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45346 DF PROTO=UDP SPT=59487 DPT=53 LEN=40 

Jun  9 08:35:26 thegatekeeper kernel: [315821.762621] FORWARD_DROP_DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.126 DST=72.215.225.9 LEN=72 TOS=0x00 PREC=0x00 TTL=127 ID=58738 PROTO=UDP SPT=427 DPT=427 LEN=52 

```

Here is the firewall rules.

```

IPTABLES=/sbin/iptables

IP6TABLES=/sbin/ip6tables

MODPROBE=/sbin/modprobe

INT_NET=192.168.1.0/24

### flush existing rules and set chain policy setting to DROP

echo "[+] Flushing existing iptables rules..."

$IPTABLES -F

$IPTABLES -F -t nat

$IPTABLES -X

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

### this policy does not handle IPv6 traffic except to drop it.

#

echo "[+] Disabling IPv6 traffic..."

$IP6TABLES -P INPUT DROP

$IP6TABLES -P OUTPUT DROP

$IP6TABLES -P FORWARD DROP

### load connection-tracking modules

#

$MODPROBE ip_conntrack

$MODPROBE iptable_nat

$MODPROBE ip_conntrack_ftp

$MODPROBE ip_nat_ftp

###### INPUT chain ######

#

echo "[+] Setting up INPUT chain..."

### state tracking rules

$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "INPUT_DROP INVALID " --log-ip-options --log-tcp-options

$IPTABLES -A INPUT -m state --state INVALID -j DROP

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules

$IPTABLES -A INPUT ! -i eth0 -s $INT_NET -j LOG --log-prefix "INPUT_SPOOFED PKT "

$IPTABLES -A INPUT ! -i eth0 -s $INT_NET -j DROP

### ACCEPT rules

$IPTABLES -A INPUT -i eth0 -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -i eth0 -p tcp -s $INT_NET --dport 53 -j ACCEPT

$IPTABLES -A INPUT -i eth0 -p udp -s $INT_NET --dport 53 -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

### make sure that loopback traffic is accepted

$IPTABLES -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT

$IPTABLES -A INPUT -s 127.0.0.1 -p udp -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT

### default INPUT LOG rule

$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "INPUT_DROP_DEFAULT " --log-ip-options --log-tcp-options

###### OUTPUT chain ######

#

echo "[+] Setting up OUTPUT chain..."

### state tracking rules

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "OUTPUT_DROP INVALID " --log-ip-options --log-tcp-options

$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule

$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "OUTPUT_DROP_DEFAULT " --log-ip-options --log-tcp-options

### make sure that loopback traffic is accepted

$IPTABLES -A OUTPUT -o lo -j ACCEPT

###### FORWARD chain ######

#

echo "[+] Setting up FORWARD chain..."

### state tracking rules

$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "FORWARD_DROP INVALID " --log-ip-options --log-tcp-options

$IPTABLES -A FORWARD -m state --state INVALID -j DROP

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules

$IPTABLES -A FORWARD ! -i eth0 -s $INT_NET -j LOG --log-prefix "FORWARD_SPOOFED PKT "

$IPTABLES -A FORWARD ! -i eth0 -s $INT_NET -j DROP

### ACCEPT rules

$IPTABLES -A FORWARD -p tcp -i eth0 -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth0 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth0 -s $INT_NET --dport 25 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth0 -s $INT_NET --dport 43 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth0 -s $INT_NET --dport 4321 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

### default LOG rule

$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "FORWARD_DROP_DEFAULT " --log-ip-options --log-tcp-options

###### NAT rules ######

#

echo "[+] Setting up NAT rules..."

#$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.3:80

$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to 192.168.1.1:53

$IPTABLES -t nat -A PREROUTING -p udp --dport 53 -i eth0 -j DNAT --to 192.168.1.1:53

$IPTABLES -t nat -A PREROUTING -p tcp --dport 1982 -i eth0 -j DNAT --to 192.168.1.127:22

$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE

###### forwarding ######

#

echo "[+] Enabling IP forwarding..."

echo 1 > /proc/sys/net/ipv4/ip_forward

exit

```

----------

## d2_racing

Hi, can you use wireshark on your box that has eth1 ?

Because, I don't see the error too  :Razz: 

----------

## Hu

 *warriorforGod wrote:*   

> $IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to 192.168.1.1:53
> 
> $IPTABLES -t nat -A PREROUTING -p udp --dport 53 -i eth0 -j DNAT --to 192.168.1.1:53

 It is a bit strange to redirect DNS requests back internal.  Why not just configure the internal machines to use 192.168.1.1 as their DNS server directly?  Is 192.168.1.1 a DNS server at all?

----------

