DNS problems with iptables

[dubman]

I am having a problem with dns lookups on my internal network. When i do a packet trace, incoming dns traffic is being forwarded successfully through my firewall, but the return (outgoing) dns traffic is getting dropped. I know I have dns set up correctly on my DMZ server because I can shut down my firewall and just enable the routing, and everything works fine (after entering some static routes on outside clients to negotiate my disabled nat).

I have the four following statements in my firewall scipt that should allow the dns traffic:

$IPT -A FORWARD -i $PUBIF -o $DMZIF -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A FORWARD -i $DMZIF -o $PUBIF -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p tcp --dport 53 -j ACCEPT

$IPT -t nat -A POSTROUTING -o $PUBIF -s $DMZNET -j MASQUERADE
these are my variables:

$IPT is calling /sbin/iptables
$PUBIF is eth0 which is connected to my cbl modem (WAN)
$DMZIF is eth2 which is connected to my DMZ host
$DMZNET is my DMZ network.

explanation...(i think)
The first statement should only allow "established and related" connections through. I know this is working because I can see the request on the DMZ server when I do a packet trace.

The second statement should allow the return dns traffic through. This is where the packets are getting dropped...I think.
The third statement is configuring my NAT. I know this is working because all of my other services (ftp, web, ssh, etc) are all accessable when my firewall script is running.

I am stuck as to where IPTABLES is breaking...someone please help!!!
--dubman

[Nerderello]

can you confirm, from your packet traces, that port 53 is definately being used (ie. you're not using a non-standard port)

Nerderello