Skip to content

Instantly share code, notes, and snippets.

@iancoffey
Created June 13, 2014 18:09
Show Gist options
  • Save iancoffey/d923067bdcf22a7cbebb to your computer and use it in GitHub Desktop.
Save iancoffey/d923067bdcf22a7cbebb to your computer and use it in GitHub Desktop.
U32 FTW
- name: iptables_rules | get iptables rules
shell: iptables -L
register: iptablesrules
sudo: true
- name: add_dns_chain | add UDP DNS iptables chain
command: iptables -N DNS_udp
sudo: true
when: iptablesrules.stdout.find("DNS_udp") == -1
register: dns_chain
- name: accept valid_dns | add DNS answers iptable rule
command: iptables -A DNS_udp -m u32 --u32 "0>>22&0x3C@8>>15&0x01=0" -j ACCEPT
sudo: true
when: dns_chain|success
- name: log_malformed_dns | log malformed DNS packet
command: iptables -A DNS_udp -j LOG --log-prefix "Dropped DNS answer " --log-level 4 -m comment --comment "u32_log_dns_answers"
sudo: true
when: dns_chain|success
- name: drop_udp_dns | add DNS answers iptable rule
command: iptables -A DNS_udp -m u32 --u32 "0>>22&0x3C@8>>15&0x01=0" -j ACCEPT
sudo: true
when: dns_chain|success
- name: filter_udp_dns | send traffic through our dns chain
command: iptables -A INPUT -p udp --dport 53 -j DNS_udp
sudo: true
when: dns_chain|success
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment