Find the answer to your Linux question:
Results 1 to 2 of 2
I am using Ubuntu 8.04 as a proxy(Squid), web content filter(dans guardian), and firewall(iptables). I'm new to Ubuntu so any help is appreciated. I work at a school where this ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Posts
    2

    DNS Issues


    I am using Ubuntu 8.04 as a proxy(Squid), web content filter(dans guardian), and firewall(iptables). I'm new to Ubuntu so any help is appreciated. I work at a school where this was already set up, so I'm working with what I have. We are using Active Directory on server 2003. It is also our dns server (192.168.1.10). Something weird happened yesterday where my Ubuntu box can't resolve domain names. I was setting up a NAT in iptables, and I'm guessing I messed something up. When I do an nslookup on any domain, google, yahoo, etc, it won't resolve. I have bypassed the proxy on a machine and everything works fine. I checked the /etc/resolv.conf and the dns settings are correct (192.168.1.10). If I add an external DNS server to resolv.conf domain names resolve. This again is what makes me believe I screwed something up in iptables. This poses a problem because all the students and staff have everything running through the proxy server for filtering, and they can't access internet. Also, if i use the ip address of google instead of Google, it comes up fine on any workstation using internet explorer. The ip of my linux box is 192.168.1.1. Here's my iptables. PLEASE HELP!!!

    # Generated by iptables-save v1.3.8 on Sun Jun 8 16:57:11 2008
    *filter
    :INPUT DROP [8:568]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: "
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -s 192.168.1.1 -j DROP
    -A INPUT -d 224.0.0.0/240.0.0.0 -p ! udp -j DROP
    -A INPUT -p icmp -f -j LOG --log-prefix "Fragmented incoming ICMP: "
    -A INPUT -p icmp -f -j DROP
    -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A INPUT -s 192.168.0.0/255.255.0.0 -d 192.168.1.1 -i eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
    -A INPUT -d 165.139.40.1 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.0.0/255.255.0.0 -d 192.168.255.255 -i eth1 -p udp -m udp --sport 137:138 --dport 137:138 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.0.0/255.255.0.0 -d 192.168.1.1 -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j LOG
    -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID forward: "
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -s 192.168.1.1 -j DROP
    -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP
    -A FORWARD -d 255.255.255.255 -j DROP
    -A FORWARD -d 224.0.0.0/240.0.0.0 -p ! udp -j DROP
    -A FORWARD -p icmp -f -j LOG --log-prefix "Fragmented forwarded ICMP: "
    -A FORWARD -p icmp -f -j DROP
    -A FORWARD -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A FORWARD -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A FORWARD -d 192.168.0.0/255.255.0.0 -o eth1 -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
    -A FORWARD -d 192.168.0.0/255.255.0.0 -o eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -o eth0 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth1 -o eth0 -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -d 192.168.1.11 -i eth0 -o eth1 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
    -A FORWARD -d 192.168.1.11 -i eth0 -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
    -A FORWARD -d 192.168.1.11 -i eth0 -o eth1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
    -A FORWARD -d 192.168.1.10 -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -m state --state NEW -j ACCEPT
    -A FORWARD -j LOG
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: "
    -A OUTPUT -m state --state INVALID -j DROP
    -A OUTPUT -s ! 192.168.1.1 -o eth1 -j DROP
    -A OUTPUT -p icmp -f -j LOG --log-prefix "Fragmented outgoing ICMP: "
    -A OUTPUT -p icmp -f -j DROP
    -A OUTPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A OUTPUT -d 192.168.0.0/255.255.0.0 -o eth1 -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 3 -j DROP
    -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
    -A OUTPUT -s 165.139.40.1 -o eth0 -m state --state NEW -j ACCEPT
    -A OUTPUT -s 192.168.1.1 -d 192.168.0.0/255.255.0.0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -j LOG
    COMMIT
    # Completed on Sun Jun 8 16:57:11 2008
    # Generated by iptables-save v1.3.8 on Sun Jun 8 16:57:11 2008
    *nat
    :PREROUTING ACCEPT [12:760]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -d 165.139.40.1 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.11
    -A PREROUTING -d 165.139.40.1 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.11
    -A PREROUTING -d 165.139.40.1 -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.11
    -A PREROUTING -s 74.93.93.225 -d 165.139.40.1 -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.10
    -A POSTROUTING -o eth0 -j SNAT --to-source 165.139.40.1
    COMMIT
    # Completed on Sun Jun 8 16:57:11 2008
    # Generated by iptables-save v1.3.8 on Sun Jun 8 16:57:11 2008
    *mangle
    :PREROUTING ACCEPT [117:29886]
    :INPUT ACCEPT [127820:10752056]
    :FORWARD ACCEPT [1089173:536183311]
    :OUTPUT ACCEPT [38:17412]
    :POSTROUTING ACCEPT [1153566:545743972]
    COMMIT
    # Completed on Sun Jun 8 16:57:11 2008

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Do you still have he original file before you decided to reconfigure your firewall?
    Have you compared the files to see what was missing?
    What NAT'ing we you trying to do?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •