iptables: Skip conntrack for DNS queries.

Under heavy request load, it is possible for the conntrack kernel table to fill up (by default, 256k connections). This leads to DNS requests failing because they cannot make a new conntrack entry. Allow all port-53 UDP traffic in and out without connection tracking. This means that unbound port-53 traffic is no longer filtered out by the on-host firewall -- but it is already filtered out at the border firewall, so this does not change the external network posture. `systemd-resolve` also only binds to 127.0.0.53 on the loopback interface, so there is no server to attack on inbound port 53.
2024-01-08 15:24:09 -05:00 · 2024-01-08 15:24:09 -05:00 · 3bf047beb8
parent d18de3e0a4
commit 3bf047beb8
1 changed files with 17 additions and 3 deletions
--- a/puppet/zulip_ops/files/iptables/header.v4
+++ b/puppet/zulip_ops/files/iptables/header.v4
@ -1,6 +1,18 @@
 # This file was auto-generated by Puppet.  Do not edit by hand.
-*filter

+# The raw table is used to disable connection tracking for DNS
+# traffic, so it works even when the conntrack table fills.
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A PREROUTING -p udp -m udp --dport 53 -j CT --notrack
+-A PREROUTING -p udp -m udp --sport 53 -j CT --notrack
+-A OUTPUT -p udp -m udp --dport 53 -j CT --notrack
+-A OUTPUT -p udp -m udp --sport 53 -j CT --notrack
+COMMIT
+
+
+*filter
 # Allow all outbound traffic
 -A OUTPUT -j ACCEPT

@ -10,7 +22,9 @@
 # Drop all traffic to loopback IPs on other interfaces
 -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP

-# Accept incoming traffic related to established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Accept incoming traffic related to established connections, or the
+# untracked port-53-UDP set up above.  See iptables-extensions(8) for
+# the --state flag.  This drops INVALID and NEW states.
+-A INPUT -m state --state ESTABLISHED,RELATED,UNTRACKED -j ACCEPT

 # Host-specific rules follow: