Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type three or "host unreachable". My firewall is very strict (I was hacked) and I am controlling sockets. I would like to respond to the DNS servers with this icmp message. I have tried many, many ways but none work, the message keeps on getting dropped. Here is an example rule set for one of the DNS servers:
# Owner: cryptostorm DNS in Langley in CA
-A OUTPUT -o tun0 -m state --state ESTABLISHED,NEW -p tcp --dport 53 -d 162.221.207.228 -j good_out_ips_accept
-A OUTPUT -o tun0 -m state --state ESTABLISHED,NEW -p udp --dport 53 -d 162.221.207.228 -j good_out_ips_accept
-A OUTPUT -m state --state ESTABLISHED,NEW -p icmp -m icmp --icmp-type 3 -d 162.221.207.228 -j good_out_ips_accept
-A OUTPUT -o tun0 -d 162.221.207.228 -j good_out_ips_drop
Here is the rule script:
-N good_out_ips_accept
-N good_out_ips_drop
-- many ips and ranges like above ----
-A good_out_ips_accept -j ACCEPT
-A good_out_ips_drop -j LOG --log-level info --log-prefix "GOOD O/P IPs -- DROP :"
-A good_out_ips_drop -j DROP
Here is the resulting script from the firewall log:
May 20 16:24:21 gate kernel: [73690.667828] GOOD O/P IPs -- DROP :IN= OUT=tun0 SRC=10.7.7.88 DST=162.221.207.228 LEN=152 TOS=0x00 PREC=0xC0 TTL=64 ID=54071 PROTO=ICMP TYPE=3 CODE=3 [SRC=162.221.207.228 DST=10.7.7.88 LEN=124 TOS=0x00 PREC=0x00 TTL=57 ID=58899 DF PROTO=UDP SPT=53 DPT=50934 LEN=104 ]
To me the firewall is not seeing the icmp rule for some reason. Can anyone see the problem? Thanks for you help!
---------- Post updated at 06:04 PM ---------- Previous update was at 05:36 PM ----------
Well, I'm replying to my own post 10 minutes after writing it. All I needed was a "RELATED" on the state. I was hesitant to use this state as it seems to open a can of worms on some web sites...