Author Topic: IPtables DNS problems  (Read 681 times)

0 Members and 2 Guests are viewing this topic.

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
IPtables DNS problems
« on: August 25, 2014, 10:46:15 pm »
Ok seriously what the fuck. I've been working with this for awhile now and nothing has any change at all. I have an Arch box running as a DNS/DHCP server + firewall for a bunch of VMs. The VMs are on subnet 10.10.6.0 and the Arch gateway is on the 192.168.0.0 subnet. I have a static route set up so that all computers on 192.168.0.0 can 'see' 10.10.6.0 and vice versa. Until this point there was no problems and everything worked.

The symptoms:
- Everything works fine on the VMs for a minute or so, then the connection will drop and it will only be able to ping things on it's subnet(10.10.6.x), not including the gateway(10.10.6.1)

- When I troubleshoot, I find that it's a DNS issue. It seems that the VMs will intermittently fail to elicit a response from the DNS server. The connection goes down for around a minute, then comes back on for around a minute.

I've already turned off the firewall to make sure, and sure enough the internet is fine without it. So it's definitely something wrong with my firewall. So I'll show you:
Code: [Select]
# Generated by iptables-save v1.4.21 on Mon Aug 25 15:18:28 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1:89]
:OUTPUT ACCEPT [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j tcp_packets
-A INPUT -p udp -m conntrack --ctstate NEW -j udp_packets

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -d 10.10.6.0/24 -i vboxnet0 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
-A FORWARD -s 10.10.6.0/24 -o vboxnet0 -p udp -m multiport --dports 53,67 -j ACCEPT

-A tcp_packets -p tcp -m multiport --dports 80,443,12444 -j ACCEPT
-A tcp_packets -p tcp -j DROP
-A udp_packets -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
COMMIT
# Completed on Mon Aug 25 15:18:28 2014
I realize it's not the best firewall ever, but please try and only give criticism related to the problem at hand. Also, I'm almost 100% sure it's something wrong with the FORWARD chain. Thanks.

EDIT: Ok now it seems it's a problem with the Win7 VM only. I have an XP and a Xubuntu VM that both work perfectly fine, even when the Win7 can't ping anything outside of it's subnet. Hmm, I wonder why though.
« Last Edit: August 26, 2014, 04:20:05 am by lucid »
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline apexcr3d

  • /dev/null
  • *
  • Posts: 5
  • Cookies: 0
    • View Profile
Re: IPtables DNS problems
« Reply #1 on: October 14, 2014, 12:49:54 am »
You probably figured this out by now... If so, I am curious to know what the problem was.

The only thought that came to mind when I was reading this was to add a -j target of LOG for each of the FORWARD rules. That way you could at least see the fate of those packets.

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: IPtables DNS problems
« Reply #2 on: October 14, 2014, 05:36:43 am »
I can't quite remember, but I believe it had less to do with the firewall rules and more to do with the fact that I had one laptop acting as a gateway for quite a few VMs and there was latency.
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: IPtables DNS problems
« Reply #3 on: October 14, 2014, 07:09:58 pm »
Ok seriously what the fuck. I've been working with this for awhile now and nothing has any change at all. I have an Arch box running as a DNS/DHCP server + firewall for a bunch of VMs. The VMs are on subnet 10.10.6.0 and the Arch gateway is on the 192.168.0.0 subnet. I have a static route set up so that all computers on 192.168.0.0 can 'see' 10.10.6.0 and vice versa. Until this point there was no problems and everything worked.

The symptoms:
- Everything works fine on the VMs for a minute or so, then the connection will drop and it will only be able to ping things on it's subnet(10.10.6.x), not including the gateway(10.10.6.1)

- When I troubleshoot, I find that it's a DNS issue. It seems that the VMs will intermittently fail to elicit a response from the DNS server. The connection goes down for around a minute, then comes back on for around a minute.

I've already turned off the firewall to make sure, and sure enough the internet is fine without it. So it's definitely something wrong with my firewall. So I'll show you:
Code: [Select]
# Generated by iptables-save v1.4.21 on Mon Aug 25 15:18:28 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1:89]
:OUTPUT ACCEPT [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j tcp_packets
-A INPUT -p udp -m conntrack --ctstate NEW -j udp_packets

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -d 10.10.6.0/24 -i vboxnet0 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
-A FORWARD -s 10.10.6.0/24 -o vboxnet0 -p udp -m multiport --dports 53,67 -j ACCEPT

-A tcp_packets -p tcp -m multiport --dports 80,443,12444 -j ACCEPT
-A tcp_packets -p tcp -j DROP
-A udp_packets -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
COMMIT
# Completed on Mon Aug 25 15:18:28 2014
I realize it's not the best firewall ever, but please try and only give criticism related to the problem at hand. Also, I'm almost 100% sure it's something wrong with the FORWARD chain. Thanks.

EDIT: Ok now it seems it's a problem with the Win7 VM only. I have an XP and a Xubuntu VM that both work perfectly fine, even when the Win7 can't ping anything outside of it's subnet. Hmm, I wonder why though.
Can you show me the static route setup?
Btw you could let the router do the routing.

Also nice to see you having all this shit setup and running and shit.
Keep it up.
« Last Edit: October 14, 2014, 07:11:34 pm by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: IPtables DNS problems
« Reply #4 on: October 15, 2014, 02:52:00 am »
I do have the router do the routing actually. I currently don't have this problem, this got necro'd by the above poster, but I am ok with it because he had a legitimate question about the topic for knowledge and learning purposes.

Thanks, I'll be getting the rest of the stuff I need to finish setting up everything. Finally...
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python