Help with iptables for a DNS server.
by princessgentoo from LinuxQuestions.org on (#6KXCP)
Hello everyone, I hope all of you are having a great day!
I have a dnsmasq server open to public internet in a VPS because I like to make custom domain modifications there. But many ips connected to my server is reducing my network speed. That is why I want' to limit the use of my dnsmasq server to specific Ips. Since i use many vpns, specifying ips will filter my traffic neatly.
So I added some rules to the INPUT openvpn ip rules I used for my VPN to block all traffic except SSH, VPN and port 53.
In the code I replaced some ips for privacy, IP1 is the ip of my other VPN (which is not the current server), IP2 is the Ip of a server. And SERVERIP is the current server IP. I'm using Ubuntu Jammy Jellyfish with the DNSMasq.
I used some code I found on internet, because by simple logic, if "/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT" it just working for SSH, something similar must work for DNS just replacing the port. But then tried another code that also included sport and state. I added the 8.8.8.8 which is the Google DNS nameserver, i don't think it goes here but it won't harm the rule adding it.
Code:[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to SERVERIP
ExecStart=/usr/sbin/iptables -P INPUT DROP
ExecStart=/usr/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ExectStart=/usr/sbin/iptables -A INPUT -p udp --dport 53 -s IP1,IP2,8.8.8.8,8.8.4.4 --sport 1024:65535 -d SERVERIP -m state --state NEW,ESTABLISHED -j ACCEPT
ExectStart=/usr/sbin/iptables -A INPUT -p udp --dport 53 -s IP1,IP2,8.8.8.8,8.8.4.4 --sport 53 -d SERVERIP -m state --state NEW,ESTABLISHED -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 212.227.145.229
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetWhen I run dig in both the server and the computer connected to VPN IP1.
Code:dig @SERVERIP google.comI get:
Code:;; communications error to SERVERIP#53: timed out
;; communications error to SERVERIP#53: timed out
;; communications error to SERVERIP#53: timed outThe default policies on iptables is accepting except for INPUT which the default policy is Drop.
What I'm doing wrong?
I have a dnsmasq server open to public internet in a VPS because I like to make custom domain modifications there. But many ips connected to my server is reducing my network speed. That is why I want' to limit the use of my dnsmasq server to specific Ips. Since i use many vpns, specifying ips will filter my traffic neatly.
So I added some rules to the INPUT openvpn ip rules I used for my VPN to block all traffic except SSH, VPN and port 53.
In the code I replaced some ips for privacy, IP1 is the ip of my other VPN (which is not the current server), IP2 is the Ip of a server. And SERVERIP is the current server IP. I'm using Ubuntu Jammy Jellyfish with the DNSMasq.
I used some code I found on internet, because by simple logic, if "/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT" it just working for SSH, something similar must work for DNS just replacing the port. But then tried another code that also included sport and state. I added the 8.8.8.8 which is the Google DNS nameserver, i don't think it goes here but it won't harm the rule adding it.
Code:[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to SERVERIP
ExecStart=/usr/sbin/iptables -P INPUT DROP
ExecStart=/usr/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ExectStart=/usr/sbin/iptables -A INPUT -p udp --dport 53 -s IP1,IP2,8.8.8.8,8.8.4.4 --sport 1024:65535 -d SERVERIP -m state --state NEW,ESTABLISHED -j ACCEPT
ExectStart=/usr/sbin/iptables -A INPUT -p udp --dport 53 -s IP1,IP2,8.8.8.8,8.8.4.4 --sport 53 -d SERVERIP -m state --state NEW,ESTABLISHED -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 212.227.145.229
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetWhen I run dig in both the server and the computer connected to VPN IP1.
Code:dig @SERVERIP google.comI get:
Code:;; communications error to SERVERIP#53: timed out
;; communications error to SERVERIP#53: timed out
;; communications error to SERVERIP#53: timed outThe default policies on iptables is accepting except for INPUT which the default policy is Drop.
What I'm doing wrong?