[Pdns-users] UDP Connection Table Exhaustion?
Matthew Walster - Gyron
matthew.walster at gyron.net
Fri Jul 3 14:37:35 UTC 2009
> -----Original Message-----
> From: bert.hubert at gmail.com [mailto:bert.hubert at gmail.com] On Behalf Of
> bert hubert
> Sent: 03 July 2009 09:16
> To: Matthew Walster - Gyron
> Cc: Sten Spans; Pdns-users at mailman.powerdns.com
> Subject: Re: [Pdns-users] UDP Connection Table Exhaustion?
>
> To nuance this a bit - on Linux, you can have great benefit from the
> iptables 'NOTRACK' target, which can help you do firewalling that will
> not run into problems from busy DNS traffic.
In case anyone reads the mail archives, runs CentOS, and is scared of iptables, here is the contents of /etc/sysconfig/iptables after I disabled connection tracking.
*** START ***
# Generated by iptables-save v1.3.5 on Fri Jul 3 15:16:17 2009
*raw
:PREROUTING ACCEPT [567:46949]
:OUTPUT ACCEPT [521:57257]
-A PREROUTING -p tcp -m tcp --sport 53 -j NOTRACK
-A PREROUTING -p tcp -m tcp --dport 53 -j NOTRACK
-A PREROUTING -p udp -m udp --dport 53 -j NOTRACK
-A PREROUTING -p udp -m udp --sport 53 -j NOTRACK
-A OUTPUT -p tcp -m tcp --sport 53 -j NOTRACK
-A OUTPUT -p tcp -m tcp --dport 53 -j NOTRACK
-A OUTPUT -p udp -m udp --dport 53 -j NOTRACK
-A OUTPUT -p udp -m udp --sport 53 -j NOTRACK
COMMIT
# Completed on Fri Jul 3 15:16:17 2009
# Generated by iptables-save v1.3.5 on Fri Jul 3 15:16:17 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [607:67528]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jul 3 15:16:17 2009
*** END ***
Note that this is only for my VMWare test machine, so you'll want more/less rules depending on which services you are going to run (httpd etc) and you'll probably want to tighten a couple of the rules (such as anything with "--sport" otherwise you're letting in unnecessary traffic) but it's otherwise working.
Thanks to all who assisted with research for this!
Matthew Walster
This message may be private and confidential. If you have received this message in error, please notify us and remove it from your system.
Gyron may monitor email traffic data and the content of email for the purposes of security and staff training.
Gyron Internet Ltd is a limited company registered in England and Wales. Registered number: 4239332. Registered office: 3 Centro, Boundary Way, Hemel Hempsted, HP2 7SU. VAT reg no 804 2532 63. Gyron is a registered trademark.
More information about the Pdns-users
mailing list