You are not logged in.

#1 2019-04-20 12:58:12

Dafta
Member
Registered: 2016-02-17
Posts: 8

DNS server starts timing out after some time while using iptables

Hello, forums.

I have a DNS server running arch on my local network. The DNS works fine, and resolves correctly when the firewall (iptables) is off. However, when iptables is on, it works for about half an hour or so, and then every request made to the server starts timing out. Restarting iptables seems to fix this for a while, but sometime later the server starts timing out again. I've pored over my iptables config and can't seem to find any error, or anything else that might cause this issue. Does anyone else have any ideas?

This is my iptables.rules file.

# Generated by iptables-save v1.6.1 on Thu Oct 19 17:06:56 2017
*nat
:PREROUTING ACCEPT [350:30425]
:INPUT ACCEPT [10:520]
:OUTPUT ACCEPT [55:3619]
:POSTROUTING ACCEPT [55:3619]
-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 19 17:06:56 2017
# Generated by iptables-save v1.6.1 on Thu Oct 19 17:06:56 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5833:695322]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 53 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 22000 -j ACCEPT
-A TCP -p tcp -m tcp --dport 32400 -j ACCEPT
-A TCP -p tcp -m tcp --dport 32469 -j ACCEPT
-A TCP -p tcp -m tcp --dport 40533 -j ACCEPT
-A TCP -p tcp -m tcp -m multiport --dports 40665:40666 -j ACCEPT
-A TCP -p tcp -m tcp -m multiport --dports 41000:41999 -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -p udp -m udp --dport 53 -j ACCEPT
-A UDP -p udp -m udp --dport 1194 -j ACCEPT
-A UDP -p udp -m udp --dport 1900 -j ACCEPT
-A UDP -p udp -m udp --dport 21027 -j ACCEPT
-A UDP -p udp -m udp -m multiport --dports 32410:32414 -j ACCEPT
-A UDP -p udp -m udp -m multiport --dports 41000:41999 -j ACCEPT
-A fw-interfaces -i tun0 -j ACCEPT
COMMIT
# Completed on Thu Oct 19 17:06:56 2017

I've verified that it loads correctly using iptables-save.

# Generated by iptables-save v1.8.2 on Sat Apr 20 14:57:52 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [21:1797]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 53 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 22000 -j ACCEPT
-A TCP -p tcp -m tcp --dport 32400 -j ACCEPT
-A TCP -p tcp -m tcp --dport 32469 -j ACCEPT
-A TCP -p tcp -m tcp --dport 40533 -j ACCEPT
-A TCP -p tcp -m tcp -m multiport --dports 40665:40666 -j ACCEPT
-A TCP -p tcp -m tcp -m multiport --dports 41000:41999 -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -p udp -m udp --dport 53 -j ACCEPT
-A UDP -p udp -m udp --dport 1194 -j ACCEPT
-A UDP -p udp -m udp --dport 1900 -j ACCEPT
-A UDP -p udp -m udp --dport 21027 -j ACCEPT
-A UDP -p udp -m udp -m multiport --dports 32410:32414 -j ACCEPT
-A UDP -p udp -m udp -m multiport --dports 41000:41999 -j ACCEPT
-A fw-interfaces -i tun0 -j ACCEPT
COMMIT
# Completed on Sat Apr 20 14:57:52 2019
# Generated by iptables-save v1.8.2 on Sat Apr 20 14:57:52 2019
*nat
:PREROUTING ACCEPT [1:202]
:INPUT ACCEPT [1:202]
:OUTPUT ACCEPT [6:513]
:POSTROUTING ACCEPT [6:513]
-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Apr 20 14:57:52 2019

Offline

#2 2019-04-22 14:50:56

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 488

Re: DNS server starts timing out after some time while using iptables

My guess, is the "portscan / UDP" rule, remove it and see if it works .
If you want to pin-point where is it dropped, you can check the logs (if there isn't any log then enable it by modifying the rules to log), or enable iptables trace in raw table if you want the exact chain the packet is dropped and check the log whenever the problem occurs : NOTE: with trace you'll see allot of logging so keep that in mind.

Offline

#3 2019-04-23 17:14:54

Dafta
Member
Registered: 2016-02-17
Posts: 8

Re: DNS server starts timing out after some time while using iptables

You're probably right. I can't check now as I'm not going to be home during the week, but I've read through the wiki here: https://wiki.archlinux.org/index.php/Si … #UDP_scans

I added the portscan --update rule to the start of the chain instead of the end.

Offline

Board footer

Powered by FluxBB