problem with DNS server behind nat/packet filter

problem with DNS server behind nat/packet filter

[enjoy.the.silence]

hi,
i've been an user of netfilter/iptables for a short time, and it's always 
worked great for me, doing NAT and packet filtering exactly as it should 
(thanx a lot to who wrote the NAT-HOWTO although :D). anyway, i'm 
experiencing some strange behaviour: 

i have a DNATting rule as the following:
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP 

where EXTIF (ppp0 - yeah, dialup) and EXTIP (dynamically assigned but 
correctly detected) are properly set. recently i have set up a DNS server, 
and i wish it was accessible from the outside. i have used djbdns, and set 
it up correctly. actually the requests are received and processed, but the 
outgoing packets with the replies are blocked by my packet filter. i have 
the following log from dmesg:
IN= OUT=ppp0 SRC=10.0.6.5 DST=80.116.131.210 LEN=68 TOS=0x00 PREC=0x00 
TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=4538 LEN=48 

10.0.6.5 is the ip which djbdns is running on, and 80... is the ip who made 
the request. what is strange is that the packet was trying to go out with 
the internal ip! is this normal? it's been blocked because i have a rule:
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it 

shouldn't the packet's source address have already been changed at this 
time? what am i doing wrong? may it be because it's using the UDP protocol? 
my natting rule should work with all protocols though... 

help me!
thanks in advance!
Giorgio 

Re: problem with DNS server behind nat/packet filter

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1713 bytes --]

Maybe you have a PREROUTING rule that is rewriting the source ip to the
internal ip instead of the external ip.


On Fri, 2003-05-09 at 13:45, enjoy.the.silence@iol.it wrote:
> hi,
> i've been an user of netfilter/iptables for a short time, and it's always 
> worked great for me, doing NAT and packet filtering exactly as it should 
> (thanx a lot to who wrote the NAT-HOWTO although :D). anyway, i'm 
> experiencing some strange behaviour: 
> 
> i have a DNATting rule as the following:
> iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP 
> 
> where EXTIF (ppp0 - yeah, dialup) and EXTIP (dynamically assigned but 
> correctly detected) are properly set. recently i have set up a DNS server, 
> and i wish it was accessible from the outside. i have used djbdns, and set 
> it up correctly. actually the requests are received and processed, but the 
> outgoing packets with the replies are blocked by my packet filter. i have 
> the following log from dmesg:
> IN= OUT=ppp0 SRC=10.0.6.5 DST=80.116.131.210 LEN=68 TOS=0x00 PREC=0x00 
> TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=4538 LEN=48 
> 
> 10.0.6.5 is the ip which djbdns is running on, and 80... is the ip who made 
> the request. what is strange is that the packet was trying to go out with 
> the internal ip! is this normal? it's been blocked because i have a rule:
> iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it 
> 
> shouldn't the packet's source address have already been changed at this 
> time? what am i doing wrong? may it be because it's using the UDP protocol? 
> my natting rule should work with all protocols though... 
> 
> help me!
> thanks in advance!
> Giorgio 
> 
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: problem with DNS server behind nat/packet filter

[enjoy.the.silence]

i have the following roules in nat/PREROUTING: 

Chain PREROUTING (policy ACCEPT 89 packets, 5600 bytes)
pkts bytes target     prot opt in     out     source               
destination
   0     0 DNAT       tcp  --  any    any     anywhere             anywhere  
tcp dpt:webcache to:10.0.6.6:80
   0     0 DNAT       tcp  --  any    any     anywhere             anywhere  
tcp dpt:domain to:10.0.6.5
   3   193 DNAT       udp  --  any    any     anywhere             anywhere  
udp dpt:domain to:10.0.6.5 

i guess the third one might be the one that is doing the wrong job. 
although, it should only alter incoming packets on port 53 to my external ip 
so that they go to the internal box which is running the dns server. it 
should not touch the source address which will be become the destination 
address of the dns replies. or am i wrong? 

thank for now!

Re: problem with DNS server behind nat/packet filter

[Myles Uyema]

Quite possible.  For PREROUTING DNAT stuff, I generally recommend 
specifying -i ppp0 to narrow the rule down even further.  That way only 
DNS requests coming in through the PPP interface get DNAT'ed.

Do you have any other POSTROUTING rules?

On Fri, 9 May 2003 enjoy.the.silence@iol.it wrote:

i have the following roules in nat/PREROUTING: 

Chain PREROUTING (policy ACCEPT 89 packets, 5600 bytes)
pkts bytes target     prot opt in     out     source               
destination
   0     0 DNAT       tcp  --  any    any     anywhere             anywhere  
tcp dpt:webcache to:10.0.6.6:80
   0     0 DNAT       tcp  --  any    any     anywhere             anywhere  
tcp dpt:domain to:10.0.6.5
   3   193 DNAT       udp  --  any    any     anywhere             anywhere  
udp dpt:domain to:10.0.6.5 

i guess the third one might be the one that is doing the wrong job. 
although, it should only alter incoming packets on port 53 to my external ip 
so that they go to the internal box which is running the dns server. it 
should not touch the source address which will be become the destination 
address of the dns replies. or am i wrong? 

thank for now!