Iptables – Making iptables easier to maintain

domain-name-systemfirewallhostnameip addressiptables

My network is completely locked down except for a few sites which are whitelisted. This is all done through iptables, which looks something like this:

# Allow traffic to google.com
iptables -A zone_lan_forward -p tcp -d 1.2.3.0/24 -j ACCEPT
iptables -A zone_lan_forward -p udp -d 1.2.3.0/24 -j ACCEPT
iptables -A zone_lan_forward -p tcp -d 11.12.13.0/24 -j ACCEPT
iptables -A zone_lan_forward -p udp -d 11.12.13.0/24 -j ACCEPT
iptables -A zone_lan_forward -p tcp -d 101.102.103.0/24 -j ACCEPT
iptables -A zone_lan_forward -p udp -d 101.102.103.0/24 -j ACCEPT
...

Obviously those addresses are hypothetical, but you get the idea. My firewall is becoming enormous. It would be much easier to maintain if I could just do this:

# Allow traffic to google.com
iptables -A zone_lan_forward -p tcp -d google.com -j ACCEPT
iptables -A zone_lan_forward -p udp -d google.com -j ACCEPT

I believe this is possible, since man iptables says:

Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address.

But what I'm concerned about is the part that says "specifying any name to be resolved with… DNS is a really bad idea". Why is this a bad idea? Does it just slow everything down?

If I really shouldn't use hostnames in iptables rules, then what should I do to simplify my firewall?

Best Answer

DNS Names are resolved when the rules are added, not, when packets are checked. This violates the expectations most people have.
- The rule does not get updated to reflect changed DNS results. It is resolved when added and that is it. You will need to either periodically reload rules, or some sites may break.
There is a bit of a security issue in that you are basically delegating control of your firewall rules to an external entity.
- What if your parent DNS server is compromised and returns false data.

If your purpose is to block HTTP access, then you are usually far better of setting up a piece of software designed to filter at that level (e.g. squid+squidquard).

Related Solutions

Iptables HTTP Traffic – Iptables Rules to Allow HTTP Traffic to One Domain Only

With IPTables rules, order matters. The rules are added, and applied, in order. Moreover, when adding rules manually they get applied immediately. Thus, in your example, any packets going through the INPUT and OUTPUT chains start getting dropped as soon as the default policy is set. This is also, incidentally, why you received the error message you did. What is happening is this:

The default DROP policy get applied
IPTables receives a hostname as a destination
IPTables attempts a DNS lookup on 'serverfault.com'
The DNS lookup is blocked by the DROP action

While the source/destination options will accept hostnames, it is strongly discouraged. To quote the man page,

Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea.

Slillibri hit the nail on the head which his answer, you missed the DNS ACCEPT rule. In your case it won't matter, but generally I would set the default policy later on the process. The last thing you want is to be working remotely and allow SSH after turning on a default deny.

Also, depending on your distribution, you should be able to save your firewall rules such that they will be automatically applied at start time.

Knowing all that, and rearranging your script, here is what I would recommend.

# Allow loopback
iptables -I INPUT 1 -i lo -j ACCEPT

# Allow DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# Now, allow connection to website serverfault.com on port 80
iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Linux – Unable to make outbound SNMP connections when IPTables is enabled

You must put

ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

before RH-Firewall-1-INPUT because of on RH-Firewall-1-INPUT rules there is REJECT on the end of line, the iptables read from top to down.

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 2 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

If you want to add using command line, you can use:

 iptables -I OUTPUT 1 -p udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I INPUT 1 -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

It should be like:

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED
 2 RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Best Answer

Related Solutions

Iptables HTTP Traffic – Iptables Rules to Allow HTTP Traffic to One Domain Only

Linux – Unable to make outbound SNMP connections when IPTables is enabled

Related Topic