Ipchains, udp, dns and icq

From: MONZ (monz@danbbs.dk)
Date: Tue Feb 06 2001 - 17:10:24 EST

After having had a dns udp problem, I finally got it solved.

I start by setting listener range, then allow incoming tcp and dns
# Set local port range for listeners:
    echo "56000 65096" >/proc/sys/net/ipv4/ip_local_port_range

# Allow incoming TCP not trying to setup a connection (no SYN):
    #ipchains -A input -p tcp -s $CLIENTNET -j ACCEPT $LOGALL \! -y
    ipchains -A input -p tcp -s 0/0 \! -y -j ACCEPT $LOGALL

# Allow DNS replies to our queries:
    ipchains -A input -p udp -s 0/0 domain -d 0/0 56000:65096 -j ACCEPT
    ipchains -A input -p tcp -s 0/0 domain -d 0/0 56000:65096 -j ACCEPT

Without this much too general udp rule, dns/traceroute didn't work:
    #ipchains -A input -p udp -s 0/0 -j ACCEPT $LOGALL #$LOGTHIS

In man named.conf I then stumbled over query-source port, which I long
ago had set to 53 after DNS-HOWTO.

>From man named.conf :
If the server doesn't know the answer to a question, it will query other
nameservers. query-source specifies the address and port used for such
queries. If address is * or is omitted, a wildcard IP address
(INADDR_ANY) will be used. If port is * or is omitted, a random
unprivileged port will be used. The default is query-source address *
port *;
Note: query-source currently applies only to UDP queries; TCP queries
always use a wildcard IP address and a random unprivileged port.

Changing to 'query-source port *' did the cure; I no longer needed the
general udp rule. Logging proofed that too.
I haven't seen any notice about dns source port in online ipchains
examples, Ziegler's book or elsewhere.
Any comments?

Now icq didn't work. It's left as an exercise for me to find out how to
check whether a masquerading module works or is being used at all.
I probably never saw ip_masq_icq in use, since the above general udp
rule allowed icq traffic without ever reaching any icqrules.

Someone wrote to me about solving icq this way:
    ipchains -A input -p udp -d http://login.icq.com/0 4000:4001 -b -j

which actually works. I use only port 4000, though, not 4000:4001.
Doesn't seem the right way to handle it though.

Tcpdumps and rule logging reveasl that icq servers uses port 4000, while
clients use random high ports. Experiments have shown that a
bidirektionel rule is nessesary.
Online docs tells that client<->server uses udp, while client-client
uses tcp, which in my setup is handled by the above incoming '! -y'

Could someone enlighten me on those dns, icq and udp Q's?

Now, I don't use irc, but I'd like to know what's needed here too.
I can find some portnumbers at eg. IANA, but the rules...

              Mogens Valentin
    Networking - Security - Programming
  Linux configuration and troubleshooting
http://www.danbbs.dk/~monz - monz@danbbs.dk
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org

This archive was generated by hypermail 2b29 : Wed Feb 07 2001 - 21:00:31 EST