From 355086a2a4579cc221019d372d93ee18b6ece6ea Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 2 Jun 2017 12:09:10 +0200 Subject: [PATCH] FIX DNS Rules: allow protocol tcp for requesting large records. --- .gitignore | 2 +- ip6t-firewall-gateway | 18 ++++++++++++++++++ ipt-firewall-gateway | 18 ++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 220bb38..45748af 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -*.swp +.*.swp conf/interfaces_ipv4.conf conf/interfaces_ipv6.conf conf/main_ipv4.conf diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 5d0a2cc..2233da6 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -1228,11 +1228,19 @@ echononl "\t\tDNS Service Gateway" # - if $local_dns_service ; then + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + # - Allow requests from local networks # - for _dev in ${local_if_arr[@]} ; do # - in $ip6t -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT done # - Zonetransfere (uses tcp/53) @@ -1264,11 +1272,21 @@ echononl "\t\tDNS Service local Network" # - Make nameservers at the local network area rechable for all # - if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + for _ip in ${dns_server_ip_arr[@]} ; do $ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT done fi done diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 8ea1923..f20a6ba 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1699,11 +1699,19 @@ echononl "\t\tDNS Service Gateway" # - if $local_dns_service ; then + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + # - Allow requests from local networks # - for _dev in ${local_if_arr[@]} ; do # - in $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT done # - Zonetransfere (uses tcp/53) @@ -1735,11 +1743,21 @@ echononl "\t\tDNS Service local Network" # - Make nameservers at the local network area rechable for all # - if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + for _ip in ${dns_server_ip_arr[@]} ; do $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT done fi done