iptables and hostname resolving

[Sanych]

Hi All!

I have linux 9.0 mdk machine running as gateway for my network.
There are 2 interfaces
eth0 - connected to the internet
eth1 - to the ethernet

There is no DNS server on my machine.

I have configured iptables on my server to filter FORWARD packets going to/out from my local network.

Example lines:

:FORWARD DROP [1:1500]
-A FORWARD -i eth0 -p tcp -j tcp_packets_forward_in
-A FORWARD -i eth1 -p tcp -j tcp_packets_forward_out
-A FORWARD -i eth0 -p udp -j udp_packets_forward_in
-A FORWARD -i eth1 -p udp -j udp_packets_forward_out
#-A FORWARD -i eth1 -j ACCEPT

and:

-A tcp_packets_forward_in -p tcp -m tcp --sport 53 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 53 -j allowed
-A udp_packets_forward_in -p udp -m udp --sport 53 -j ACCEPT
-A udp_packets_forward_out -p udp -m udp --dport 53 -j ACCEPT

The problem is that sometimes (ones a day for ex.) browsers on computers in local network begin show up "Cannot display page" error message almost for all websites. But ''ping hostname" works well.

And when I comment out line shown as commented in the above
example - all start working! All websites are loading and so on. And if after that I comment that line again - all will continue working...

May be someone have had similiar problem?
Thanks

[Dolda2000]

Is that really all your rules? In that case, I can't see how you can browse at all from the clients, since you're not allowing port 80. Would you mind explaining that?

[Sanych]

I placed here only rules corresponding to DNS ports as I was thinking the problem is connected to dns packets going to external DNS servers.

Here are all rules for FORWARD chain

-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -p icmp -j icmp_packets_forward
-A FORWARD -i eth0 -p tcp -j tcp_packets_forward_in
-A FORWARD -i eth1 -p tcp -j tcp_packets_forward_out
-A FORWARD -i eth0 -p udp -j udp_packets_forward_in
-A FORWARD -i eth1 -p udp -j udp_packets_forward_out
#-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died:" --log-level 7

-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP

-A bad_tcp_packets -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP

-A icmp_packets_forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets_forward -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A tcp_packets_forward_in -p tcp -m tcp --sport 21 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 22 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 25 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 53 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 80:83 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 110 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 119 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 443 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 3128 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 4662 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 5100 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 5190 -j allowed
-A tcp_packets_forward_in -p tcp -m tcp --sport 8000:8088 -j allowed

-A tcp_packets_forward_out -p tcp -m tcp --dport 21 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 25 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 53 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 80:83 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 110 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 119 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 443 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 3128 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 4662 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 5100 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 5190 -j allowed
-A tcp_packets_forward_out -p tcp -m tcp --dport 8000:8088 -j allowed

-A udp_packets_forward_in -p udp -m udp --sport 53 -j ACCEPT
-A udp_packets_forward_in -p udp -m udp --sport 5028 -j ACCEPT

-A udp_packets_forward_out -p udp -m udp --dport 53 -j ACCEPT
-A udp_packets_forward_out -p udp -m udp --dport 3241 -j ACCEPT
-A udp_packets_forward_out -p udp -m udp --dport 5028 -j ACCEPT

[Dolda2000]

The main problem is that the "Cannot display page" error in MSIE doesn't actually say anything. It gives it for at least three conditions, two of which are when it can't look up the domain name and when it can't connect to the server. The third I don't remember, and I think there are more conditions that cause that error message as well. Thus, I think you should try to find out what exactly goes wrong.

[Sanych]

Your reply tend me on things about different ports
for different web servers are listening.

For example. One of my problems was that when user typed www.yahoo.com in his browser - cannot disaply page error rised. But command "ping yahoo.com" worked very well.

My opinion is that I should enabled more ports connected to the 80th port which web server is listening...

I hope this would help and will solve the problem.

Any way thanks for advises