5

Can IP tables allow specific DNS queries based on domain name?

view full story
linux-howto

http://serverfault.com – I have iptables blocking all UDP traffic at the moment, however I want to allow only certain DNS queries to get through. Let's use google.com as an example. I am trying to use string matching to find the domain name in the request, and allow it. This is what I came up with. iptables -A OUTPUT -o eth0 -p udp --sport 53 -m string --string "google.com" --algo bm -j ACCEPT I have also tried --dport 53 instead of --sport. No dice. If anyone knows how this can be done or see's where I went wrong your help is appreciated! Thanks, Jarred (HowTos)

taskli's picture
Submitted by taskli on 12/31/2012 – Made popular on 12/31/2012

Stories similar to Can IP tables allow specific DNS queries based on domain name?

I have iptables blocking all UDP traffic at the moment, however I want to allow only certain DNS queries to get through.

Let's use google.com as an example.

I am trying to use string matching to find the domain name in the request, and allow it. This is what I came up with.

I've setup IPTables with the following script...

Iptables bash script 20 weeks 5 days ago

i'd like to basically drop all packets, but still allow port 22, 80 and 52533. ATM this firewall doesn't allow pinging, or for me to use yum update. How can I add that? Thanks for advice. Also is there an easier way to open port 80?

I hear that it's a bad idea to edit iptables by hand.

I want to open 443. Quote:

iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

BUT***

Is it possible to add a IPTABLES rule which allows all the protocols for specific source and destination ports? I tried the following but it didn't work.

iptables -I FORWARD 1 -s 172.27.0.254/255.255.255.255 -d 0.0.0.0/0.0.0.0 -p 0 --sport 0:65535 --dport 1191:1191 -j ACCEPT

iptables error: unknown option `--sport`

Any comments are greatly appreciated.

I've ran the following rules:

Code: [ "iptables --flush", "iptables -P INPUT DROP", "iptables -P FORWARD DROP", "iptables -P OUTPUT DROP", "iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT", "iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT", "iptables -A

Questions :  How   to   block  torrents   from Iptables  ?  Answer: #Block Torrent iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j LOGDROP iptables -A FORWARD -m string --algo bm...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Hello,

I need to apply an iptables rules using --string option.

I need to match on --hex or ascii 2 strings that are never localized on the same area.

Each samples I tried DROP only one of my two strings, so i have false positive. I need to DROP the 2 STRINGS, but when i have only 1 string or the other, i don't want to DROP.

So, the rule what i am looking for is a AND rule around iptables.

So

I'd like to allow mail through iptables and DROP policy but this script doesn't work what it is wrong here:

## FLUSH de reglas iptables -F

iptables -X

iptables -Z

iptables -t nat -F

## policy iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# localhost iptables -A INPUT -i lo -j ACCEPT

# Allow my ip iptables -A INPUT -s MY_IP -j ACCEPT

# 80 port iptables -A I