Page 1 of 2 1 2 LastLast
Results 1 to 10 of 13

Thread: Allow only open dns servers on port 53 and block all other public DNS servers

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default Allow only open dns servers on port 53 and block all other public DNS servers

    I want to just allow open dns server requests on my iptables (tomato firmware) becuase I want to use site blocking feature of open dns. Is there a script that will allow me to block all the other public dns servers my users might use on the network? Thanks

  2. #2
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,514
    Thanks
    17
    Thanked 808 Times in 511 Posts
    Rep Power
    10

    Default

    I've not used tomato on my router but you need to configure it via webinterface. Does it allow access via ssh? If so than you can add iptables commands to block all dns servers except OpenDNS.
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    I have access via ssh to the router. It even has a script section for the firewall in the GUI where iptables scripts can be pasted. I tried a script from the following link IPTables: block all dns requests except to the server(s) I specify - LinuxQuestions.org
    It did not work for me.

  4. #4
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,514
    Thanks
    17
    Thanked 808 Times in 511 Posts
    Rep Power
    10

    Default

    The following will drop all outgoing DNS traffic to port 53 except for 208.67.220.220
    Code:
    iptables -A OUTPUT -p udp --dport 53 -d !208.67.220.220 -j DROP
    iptables -A INPUT -p udp -s ! 208.67.220.220 --sport 53 -j DROP
    Repeat this for other dns server IP too. BTW, I've you tried out your firmware web interface based firewall? Again I'm not aware of default policies, can you attach output of your iptables command:
    Code:
     iptables -L -n
    or
    Code:
     iptables -L -n -v
    HTH
    Last edited by nixcraft; 29th January 2010 at 12:12 PM.
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Here is the output and i got this output after using your dns blocking code.

    Chain INPUT (policy DROP 1 packets, 134 bytes)
    pkts bytes target prot opt in out source destination
    578 80089 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 20
    30 3775 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP 0 -- br0 * 0.0.0.0/0 48.89.13.21
    2 128 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    502 84578 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    98 4760 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP udp -- * * !208.67.220.220 0.0.0.0/0 udp spt:53
    0 0 DROP udp -- * * !208.67.222.222 0.0.0.0/0 udp spt:53

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    1016 203K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 20
    776 158K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
    0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1461:65535 TCPMSS set 1460
    13191 1567K restrict 0 -- * vlan1 0.0.0.0/0 0.0.0.0/0
    26873 15M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    91 10846 wanin 0 -- vlan1 * 0.0.0.0/0 0.0.0.0/0
    1504 73408 wanout 0 -- * vlan1 0.0.0.0/0 0.0.0.0/0
    1504 73408 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
    90 10806 upnp 0 -- vlan1 * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 1126 packets, 231K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP udp -- * * 0.0.0.0/0 67.215.65.132 udp dpt:53
    0 0 DROP udp -- * * 0.0.0.0/0 67.215.65.132 udp dpt:53

    Chain rdev01 (1 references)
    pkts bytes target prot opt in out source destination
    9 468 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:1F:3C:E1D:1A
    0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:21:5C:81:CC:6B
    0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:25:57:CB:58:0C
    117 5888 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:24:2B:E2:52:0E
    0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:22:5F4:35:90
    0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:24:2B:E2:52:0E

    Chain restrict (1 references)
    pkts bytes target prot opt in out source destination
    13161 1565K rdev01 0 -- * * 0.0.0.0/0 0.0.0.0/0

    Chain upnp (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.240 udp dpt:55476
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.60 udp dpt:37902
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.60 tcp dpt:37902
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.203 tcp dpt:26914
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.203 udp dpt:26914
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.129 tcp dpt:61965
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.129 udp dpt:61965
    13 696 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.240 tcp dpt:60816
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.240 udp dpt:60816
    1 48 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.28 tcp dpt:1126
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.240 udp dpt:59784
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.28 tcp dpt:52242
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.28 udp dpt:52242
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.240 udp dpt:64626
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.235 udp dpt:50459
    74 9802 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.235 tcp dpt:48270
    2 260 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.235 udp dpt:48270
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.211 tcp dpt:51719
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.211 udp dpt:51719
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.244 tcp dpt:22890
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.244 udp dpt:22890
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.68 tcp dpt:58938
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.68 udp dpt:58938
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.79 tcp dpt:12313
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.79 udp dpt:12313
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.202 tcp dpt:57920
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.202 udp dpt:57920
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.235 udp dpt:50484
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.213 tcp dpt:16453
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.213 udp dpt:16453
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.240 udp dpt:54257
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.71 tcp dpt:57368
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.71 udp dpt:57368
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.49 tcp dpt:23523
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.49 udp dpt:23523
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.175 tcp dpt:10309
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.175 udp dpt:10309
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.210 tcp dpt:49042
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.210 udp dpt:49042
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.24 tcp dpt:28012
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.24 udp dpt:28012
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.4.143 tcp dpt:22890
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.143 udp dpt:22890

    Chain wanin (1 references)
    pkts bytes target prot opt in out source destination
    1 40 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.60 tcp dpt:8080

    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination
    Last edited by onehomelist; 29th January 2010 at 01:46 PM.

  6. #6
    Junior Member
    Join Date
    Jan 2010
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    The script you gave me didn't work. I think the output I have posted above will help you to look into my default policies.

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    After I rebooted the router the script started working, but it blocked DNS service for even those users who were using open DNS servers. And other public DNS server access was also blocked. My users, who configure ip settings manually use my routers NAT ip as DNS server ip. Those who access via DHCP also get my routers ip as DNS server ip. So should I use a code for my routers ip with the script you provided?

  8. #8
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,514
    Thanks
    17
    Thanked 808 Times in 511 Posts
    Rep Power
    10

    Default

    Yes, set opendns ip in your interface and replace those with your IP.
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


  9. #9
    Junior Member
    Join Date
    Jan 2010
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    I tried your code with my routers ip and also with open dns ip's. After I do it, it blocks access to all the dns servers. My routers ip and open dns ip's don't work also.

  10. #10
    Junior Member
    Join Date
    Jan 2010
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    I'd posted the same topic on tomato firmware forums and also i told them about the script you had given and I got the following replay

    " INPUT and OUTPUT will only interfere with the router dns proxy, direct requests to external dns servers use the FORWARD chain. Adding rules may not be effective if packets acepted by rules higher up in in filtering chain, consider using Insert to be sure your rules are checked first.

    Tomato puts the UDP destination port 53 divert into the "nat PREROUTING" chain. This works fine in a standard nat Gateway mode router, must be something different about your setup"

    So, according to the above suggestions If I modify the script in the following way. Will it be okay.

    iptables nat -A PREROUTING -p udp --dport 53 -d ! 208.67.220.220 -j DROP
    iptables nat -A PREROUTING -p udp -s ! 208.67.220.220 --sport 53 -j DROP

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. useradd on multiple servers
    By pinoyskull in forum Shell scripting
    Replies: 5
    Last Post: 17th September 2010, 04:03 PM
  2. XEN on HP Blade Servers
    By wademac in forum XEN
    Replies: 4
    Last Post: 11th June 2009, 03:40 PM
  3. FreeBSD cvsup servers
    By raj in forum All about FreeBSD/OpenBSD/NetBSD
    Replies: 1
    Last Post: 29th August 2008, 09:47 AM
  4. Progate account across several servers
    By piggy in forum Shell scripting
    Replies: 0
    Last Post: 6th March 2008, 08:03 AM
  5. Mounting servers in Linux
    By rav in forum Linux software
    Replies: 1
    Last Post: 2nd May 2007, 11:57 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •