U32 FTW

gistfile1.txt

- name: iptables_rules | get iptables rules
  shell: iptables -L
  register: iptablesrules
  sudo: true

- name: add_dns_chain | add UDP DNS iptables chain
  command: iptables -N DNS_udp
  sudo: true
  when: iptablesrules.stdout.find("DNS_udp") == -1
  register: dns_chain

- name: accept valid_dns | add DNS answers iptable rule
  command: iptables -A DNS_udp -m u32 --u32 "0>>22&0x3C@8>>15&0x01=0" -j ACCEPT
  sudo: true
  when: dns_chain|success

- name: log_malformed_dns | log malformed DNS packet
  command: iptables -A DNS_udp  -j LOG --log-prefix "Dropped DNS answer " --log-level 4 -m comment --comment "u32_log_dns_answers"
  sudo: true
  when: dns_chain|success

- name: drop_udp_dns | add DNS answers iptable rule
  command: iptables -A DNS_udp -m u32 --u32 "0>>22&0x3C@8>>15&0x01=0" -j ACCEPT
  sudo: true
  when: dns_chain|success

- name: filter_udp_dns | send traffic through our dns chain
  command: iptables -A INPUT -p udp --dport 53 -j DNS_udp
  sudo: true
  when: dns_chain|success