Firewall rule to allow OpenDNS updater to work?

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer Firewall rule to allow OpenDNS updater to work?

This topic contains 7 replies, has 0 voices, and was last updated by  knitatoms 9 years ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #42246

    knitatoms
    Member

    Thanks to the help from ppalias I’ve now got zeroshell set up and working pretty much how I hoped. It’s an excellent distributution – thanks Fulvio!

    My problem now is that automatic updates to OpenDNS are not working. The log is below. I’ve tried a few rules in the Firewall to get this working again (it was working before I set up Firewall) but nothing has worked so far. Any ideas?

    (My current firewall rules are shown in here: http://www.zeroshell.net/eng/forum/viewtopic.php?t=2000)

    17:30:22  WAN IP=MY.IP.ADD.RESS
    17:30:22 Dynamic DNS updating .opendns (user)
    17:39:53 ERROR:
    17:39:53 --17:30:22-- https://user:*password*@updates.opendns.com/nic/update?
    17:39:53 Resolving updates.opendns.com... 208.69.38.180
    17:39:53 Connecting to updates.opendns.com[208.69.38.180]:443... failed: Connection timed out.
    17:39:53 Retrying.
    17:39:53
    17:39:53 --17:33:33-- https://user:*password*@updates.opendns.com/nic/update?
    17:39:53 Connecting to updates.opendns.com[208.69.38.180]:443... failed: Connection timed out.
    17:39:53 Retrying.
    17:39:53
    17:39:53 --17:36:44-- https://user:*password*@updates.opendns.com/nic/update?
    17:39:53 Connecting to updates.opendns.com[208.69.38.180]:443... failed: Connection timed out.
    17:39:53 Giving up.
    #49773

    ppalias
    Member

    Who is initiating the connection to opendns server? If it is ZS you need to add an allow rule on the OUTPUT chain. If it is another PC in the LAN you need to enable an allow rule on the FORWARD chain.

    #49774

    knitatoms
    Member

    Thanks for the reply but OpenDNS updater is still not working. It used to work on the same ZS box until I changed it to a router / gateway from a wireless access point – so my password etc are definitely correct.

    I set the OUTPUT chain to ACCEPT and disabled all other OUTPUT rules. But I still get the same error as above.

    Anyone have any ideas?

    #49775

    ppalias
    Member

    Give us the output of

    iptables -L -v
    iptables -t nat -L -v
    #49776

    knitatoms
    Member
    root@zeroshell root> iptables -L -v

    Chain INPUT (policy DROP 1474 packets, 126K bytes)
    pkts bytes target prot opt in out source destination
    2539 248K SYS_INPUT all -- any any anywhere anywhere
    0 0 SYS_HTTPS tcp -- any any anywhere anywhere tcp dpt:http
    821 95124 SYS_HTTPS tcp -- any any anywhere anywhere tcp dpt:https
    56 5000 SYS_SSH tcp -- any any anywhere anywhere tcp dpt:ssh
    0 0 ACCEPT tcp -- BRIDGE00 any anywhere anywhere tcp spt:https dpt:https
    0 0 ACCEPT tcp -- BRIDGE00 any anywhere anywhere tcp spt:ssh dpt:ssh
    0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:https dpt:https

    Chain FORWARD (policy DROP 12542 packets, 721K bytes)
    pkts bytes target prot opt in out source destination
    2208K 264M ACCEPT all -- BRIDGE00 any anywhere anywhere
    3234K 3196M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED

    Chain OUTPUT (policy ACCEPT 2894 packets, 1104K bytes)
    pkts bytes target prot opt in out source destination
    3246 1133K SYS_OUTPUT all -- any any anywhere anywhere
    150 9900 DROP all -- any ppp0 anywhere anywhere

    Chain NetBalancer (0 references)
    pkts bytes target prot opt in out source destination

    Chain SYS_HTTPS (2 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    4057 376K ACCEPT all -- BRIDGE00 any 192.168.1.0/24 anywhere
    0 0 ACCEPT all -- BRIDGE00 any 192.168.1.44 anywhere
    2 96 DROP all -- any any anywhere anywhere

    Chain SYS_INPUT (1 references)
    pkts bytes target prot opt in out source destination
    1011 115K ACCEPT all -- lo any anywhere anywhere
    223 58755 ACCEPT udp -- any any anywhere anywhere udp spt:domain state ESTABLISHED
    40 35390 ACCEPT tcp -- any any anywhere anywhere tcp spt:http state ESTABLISHED
    400 48000 ACCEPT tcp -- any any anywhere anywhere tcp spt:8245 state ESTABLISHED
    3399 258K ACCEPT udp -- any any anywhere anywhere udp spt:ntp state ESTABLISHED
    23952 2117K RETURN all -- any any anywhere anywhere

    Chain SYS_OUTPUT (1 references)
    pkts bytes target prot opt in out source destination
    1011 115K ACCEPT all -- any lo anywhere anywhere
    333 23664 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
    40 2626 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
    501 37852 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8245
    3606 274K ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
    12212 3493K RETURN all -- any any anywhere anywhere

    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    53 4832 ACCEPT all -- BRIDGE00 any 192.168.1.44 anywhere
    8 444 DROP all -- any any anywhere anywhere


    root@zeroshell root> iptables -t nat -L -v


    Chain PREROUTING (policy ACCEPT 45557 packets, 3349K bytes)
    pkts bytes target prot opt in out source destination
    12247 664K DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:lotusnote to:192.168.1.44:1352
    0 0 DNAT udp -- ppp0 any anywhere anywhere udp dpt:sip-tls to:192.168.1.9:5061
    0 0 DNAT udp -- ppp0 any anywhere anywhere udp dpt:sip to:192.168.1.7:5060
    430 63541 DNAT udp -- ppp0 any anywhere anywhere udp dpts:ndmp:dnp to:192.168.1.7:10000-20000

    Chain POSTROUTING (policy ACCEPT 2228 packets, 347K bytes)
    pkts bytes target prot opt in out source destination
    31734 2139K SNATVS all -- any any anywhere anywhere
    29506 1793K MASQUERADE all -- any ppp0 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 6135 packets, 439K bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination
    root@zeroshell root>
    #49777

    ppalias
    Member

    There are many drops in the OUTPUT chain. I would suggest to temporarily change the police to ACCEPT to all chains, make sure it works and the try to fine tune the firewall.

    #49778

    knitatoms
    Member

    Just reviving this thread as I never managed to solve this problem. I set the output chain to Accept and disabled all other rules as suggested by ppalias but I still get the same error as in the original post.

    Anyone have any suggestions why OpenDNS is not updating for me? (Just to confirm that the same installation of ZeroShell used to update OpenDNS just fine before I changed it into a router.)

    [EDIT] Just to add – I tried updating a DYNDNS account and that worked fine….

    Also if I go to https://user:*password*@updates.opendns.com/nic/update? in my browser the update works fine (obviously replacing user with my username and inserting the password. So my PC that is inside the Zeroshell network can connect OK! [/EDIT]

    #49779

    ppalias
    Member

    Tried it myself and the problem looks like a bug when someone generally tries to access https from ZS itself. I suggest signaling a bug!

    #49780

    knitatoms
    Member

    OK thanks for checking. Bug filed:

    http://www.zeroshell.net/eng/forum/viewtopic.php?t=2085

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.