DNS forwarding from Kali 2.0 with Linux host

[ituer...@gmail.com]

Hi

I am using the new Kali 2.0 image on my USB Armory via my Fedora (fc20) laptop. I configured NAT forwarding as per the wiki (swapping IP subnet, of course):

# enable masquerading for outgoing connections towards wireless interface
/sbin/iptables -t nat -A POSTROUTING -s 10.42.0.0/24 -o wlan0 -j MASQUERADE

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

With this, I can SSH in, and from there ping the default Google DNS (8.8.8.8), and anything else by IP, but DNS resolution is not working:

root@kali~ # ping google.com

ping: unknown host google.com

Default /etc/resolve.conf:

root@kali~ # cat /etc/resolv.conf 

nameserver 8.8.8.8

Using Wireshark on the host, I see:

130 507.958868000 10.42.0.3 56299 8.8.8.8         53 DNS 70 Standard query 0x89e4  A google.com

131 507.958882000 10.42.0.1 56299 10.42.0.3 53 ICMP 98 Destination unreachable (Host administratively prohibited)

My knowledge of iptables is very limited, but I suspect I need to add in another rule to my laptop. Sadly, I don't know what that would be.

Any suggestions?

Many thanks,

Ituero

[Andrea Barisani]

Do you have other firewall rules on the host that might interfere? Can you flush them all and ensure that only the armory masquerading rule is running?

> Many thanks,
> Ituero
>
>
> --
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/806c1695-37dd-406b-8893-acd1a41d2d4c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[ituer...@gmail.com]

Sorry for the delayed reply.

So, I stopped firewalld service: 

   sudo service firewalld stop

flushed IP tables:

   sudo iptables --flush

re-enabled nat masquerade for usb armory:

   /sbin/iptables -t nat -A POSTROUTING -s 10.42.0.0/24 -o wlan0 -j MASQUERADE

Now I can ping by hostname *and* see my local network (local network was not visible while firewalld was running) 

This is good... apart from the fact that my laptop is now wide open. Guess I need to investigate how to configure firewalld to do the same.

Thanks,

Ituero

[ituer...@gmail.com]

Good news... I have identified an appropriate configuration for users of firewalld that allows USB Armory access to network (including local network) and DNS resolution.

In case it helps other users:

• Move physical NICs to external zone (which allows MASQUERADE by default)
  • move ethernet interface from public zone to external zone (in my case it is p1p1 but could be eth0)
    
  • move wireless interface from public zone to external zone (in my case wl4s0, but could be wlan0)
    
• Configure internal zone. Note that we are not adding the usb0 NIC to internal zone. This is in case other non-USB Armory USB ethernet adapters are used later. They should still go to the default zone (in my case, that is public)
  

• add source 10.42.0.0/24 to internal zone (for Kali image)
  
• add source 10.0.0.0/24 to internal zone (for USB Armory official images)
  
• Allow internal zone access to DNS service
  
• add "dns" service to internal zone (on services tab)

• If local/private network access required (e.g. access servers by hostname rather than IP)

• edit /etc/resolv.conf

•  on USB Armory, edit /etc/resolv.conf
  
• edit nameserver entry with the IP address of the local DNS resolver (should also be a forwarder to resolve internet hostnames). e.g. (assuming local DNS is on 192.168.0.1):
  #nameserver 8.8.8.8
  nameserver 192.168.0.1

  

Thanks,

Ituero