Find the answer to your Linux question:
Results 1 to 2 of 2
I am having a problem with dns lookups on my internal network. When i do a packet trace, incoming dns traffic is being forwarded successfully through my firewall, but the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2003
    Posts
    1

    DNS problems with iptables


    I am having a problem with dns lookups on my internal network. When i do a packet trace, incoming dns traffic is being forwarded successfully through my firewall, but the return (outgoing) dns traffic is getting dropped. I know I have dns set up correctly on my DMZ server because I can shut down my firewall and just enable the routing, and everything works fine (after entering some static routes on outside clients to negotiate my disabled nat).

    I have the four following statements in my firewall scipt that should allow the dns traffic:

    $IPT -A FORWARD -i $PUBIF -o $DMZIF -m state --state RELATED,ESTABLISHED -j ACCEPT

    $IPT -A FORWARD -i $DMZIF -o $PUBIF -p udp --dport 53 -j ACCEPT
    $IPT -A FORWARD -i $DMZIF -o $PUBIF -p tcp --dport 53 -j ACCEPT

    $IPT -t nat -A POSTROUTING -o $PUBIF -s $DMZNET -j MASQUERADE
    these are my variables:

    $IPT is calling /sbin/iptables
    $PUBIF is eth0 which is connected to my cbl modem (WAN)
    $DMZIF is eth2 which is connected to my DMZ host
    $DMZNET is my DMZ network.

    explanation...(i think)
    The first statement should only allow "established and related" connections through. I know this is working because I can see the request on the DMZ server when I do a packet trace.

    The second statement should allow the return dns traffic through. This is where the packets are getting dropped...I think.
    The third statement is configuring my NAT. I know this is working because all of my other services (ftp, web, ssh, etc) are all accessable when my firewall script is running.

    I am stuck as to where IPTABLES is breaking...someone please help!!!
    --dubman

  2. #2
    Linux Engineer Nerderello's Avatar
    Join Date
    Apr 2003
    Location
    North East England
    Posts
    1,190
    can you confirm, from your packet traces, that port 53 is definately being used (ie. you're not using a non-standard port)

    Nerderello

    Use Suse 10.1 and occasionally play with Kubuntu
    Also have Windows 98SE and BeOS

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •