All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Snodgrass <ssnodgra@pheran.com>
To: netfilter@lists.netfilter.org
Subject: Disappearing DNS packets
Date: Fri, 13 Dec 2002 12:05:03 -0500	[thread overview]
Message-ID: <20021213120503.A8206@cruncher.pheran.com> (raw)

I'm having a very strange problem and I was hoping that maybe someone has
seen this before.  Note that IP addresses have been sanitized.

I have a Red Hat 7.3 firewall using iptables 1.2.5 and kernel 2.4.18-10
separating two subnets.  The eth0 subnet contains a DNS server and the eth1
subnet contains a DNS client.  The firewall uses connection tracking and the
ruleset permits DNS queries from the client to the server.

192.168.10.20 ------ eth0-FIREWALL-eth1 ------ 192.168.3.8
DNS Server                                     DNS Client

Rule fragement from FORWARD chain:
ACCEPT   all  --  0.0.0.0/0     0.0.0.0/0        state RELATED,ESTABLISHED 
LOG      udp  --  192.168.3.8   192.168.10.20    udp dpt:53 LOG flags 0 level 4 
ACCEPT   udp  --  192.168.3.8   192.168.10.20    udp dpt:53 

The DNS client box is running squid, which happens to generate pairs of
similar DNS queries for some reason.  What is happening is that *one* of
the two queries gets dropped most of the time as it crosses the firewall.
Observe these tcpdumps:

firewall# tcpdump -i eth1 host 192.168.3.8 and port 53
tcpdump: listening on eth1
11:54:15.132008 192.168.3.8.32772 > 192.168.10.20.domain:  18+ A? www.google.com. (32) (DF)
11:54:15.132034 192.168.3.8.32772 > 192.168.10.20.domain:  19+ A? www.google.com. (32) (DF)
11:54:15.171377 192.168.10.20.domain > 192.168.3.8.32772:  18 1/4/2 A www.google.com (152) (DF)

firewall# tcpdump -i eth0 host 192.168.3.8 and port 53
tcpdump: listening on eth0
11:54:15.156014 192.168.3.8.32772 > 192.168.10.20.domain:  18+ A? www.google.com. (32) (DF)
11:54:15.171337 192.168.10.20.domain > 192.168.3.8.32772:  18 1/4/2 A www.google.com (152) (DF)

Note that the DNS query with query ID 19 has disappeared somewhere between
coming into eth1 and exiting eth0.

The logging rule I have in iptables does show both of those packets right
before they hit the ACCEPT rule:

IN=eth1 OUT=eth0 SRC=192.168.3.8 DST=192.168.10.20 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=32772 DPT=53 LEN=40 
IN=eth1 OUT=eth0 SRC=192.168.3.8 DST=192.168.10.20 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=32772 DPT=53 LEN=40 

I'm kind of at a loss here, does anyone have any idea what could be going on?
I'll be happy to provide any additional info that I can.  Thanks!

-- 
Steve Snodgrass * ssnodgra@pheran.com * Network and Unix Guru(?) at Large
Geek Code: GCS d? s: a C++ U++++$ P+++ L++ w PS+ 5++ b++ DI+ D++ e++ r+++ y+*
"If you want to be somebody else, change your mind."  -Sister Hazel


                 reply	other threads:[~2002-12-13 17:05 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20021213120503.A8206@cruncher.pheran.com \
    --to=ssnodgra@pheran.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.