firewalled dns clients

firewalled dns clients

[Fritz Mesedilla]

Greetings!
Thank to all of your help I was able to create a safe network behind an iptables firewall.
Now I need help again. 
How do I let the workstations do a nslookup?

          Internet
             |
             |
          Firewall
             |
             |
    -------------------------------
    |              |              |
    |              |              |
workstation    workstation    workstation




From their windows workstation, I want to be able to let them perform a nslookup.

I tried this and nothing happened.
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
even a
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT

Do I need a nat?


Cheers,


fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord


----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100

Re: firewalled dns clients

[Alistair Tonner]

On November 6, 2003 10:49 pm, Fritz Mesedilla wrote:
> Greetings!
> Thank to all of your help I was able to create a safe network behind an
> iptables firewall. Now I need help again.
> How do I let the workstations do a nslookup?
>
>           Internet
>
>
>           Firewall
>
>
>     -------------------------------
>
>
> workstation    workstation    workstation
>
>
>
>
> From their windows workstation, I want to be able to let them perform a
> nslookup.
>
> I tried this and nothing happened.
> $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
> even a
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
>
> Do I need a nat?
>
	You may need to include upd port 53 access for the clients.
	is your DNS server on the iptables firewall box? 
	if not the above rules aren't gonna help.
	you need to allow 53 to the DNS server -- if you are using external DNS you 
need to allow the ports through the FORWARD chain.
>
> Cheers,
>
>
> fritz <www.mesedilla.com>
> ---
> + Basta Ikaw Lord
>
>
> ----------------------------------------------------------------------
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender immediately by e-mail and delete this e-mail from your
> system. Please note that any views or opinions presented in this
> email are solely those of the author and do not necessarily represent
> those of the company. Finally, the recipient should check this email
> and any attachments for the presence of viruses. The company accepts
> no liability for any damage caused by any virus transmitted by this
> email.
>
> Overture Media, Inc.
> Direct Line: (632) 635-4785
> Trunkline:   (632) 631-8971 Local 146
> Fax: (632) 637-2206
> Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave.,
> Quezon City 1100

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

RE: firewalled dns clients

[Fritz Mesedilla]

No I don't have a dns server. I want them to be able to access the isp's dns.

I guess I have to forward them.

Thanks.

Cheers,


fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord



> -----Original Message-----
> From: Alistair Tonner [mailto:Alistair@nerdnet.ca]
> Sent: Friday, November 07, 2003 12:46 PM
> To: Fritz Mesedilla; Netfilter Mailing List (E-mail)
> Subject: Re: firewalled dns clients
> 
> 
> On November 6, 2003 10:49 pm, Fritz Mesedilla wrote:
> > Greetings!
> > Thank to all of your help I was able to create a safe 
> network behind an
> > iptables firewall. Now I need help again.
> > How do I let the workstations do a nslookup?
> >
> >           Internet
> >
> >
> >           Firewall
> >
> >
> >     -------------------------------
> >
> >
> > workstation    workstation    workstation
> >
> >
> >
> >
> > From their windows workstation, I want to be able to let 
> them perform a
> > nslookup.
> >
> > I tried this and nothing happened.
> > $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
> > even a
> > $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
> >
> > Do I need a nat?
> >
> 	You may need to include upd port 53 access for the clients.
> 	is your DNS server on the iptables firewall box? 
> 	if not the above rules aren't gonna help.
> 	you need to allow 53 to the DNS server -- if you are 
> using external DNS you 
> need to allow the ports through the FORWARD chain.
> >
> > Cheers,
> >
> >
> > fritz <www.mesedilla.com>
> > ---
> > + Basta Ikaw Lord
> >
> >
> > 
> ----------------------------------------------------------------------
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error 
> please notify
> > the sender immediately by e-mail and delete this e-mail from your
> > system. Please note that any views or opinions presented in this
> > email are solely those of the author and do not necessarily 
> represent
> > those of the company. Finally, the recipient should check this email
> > and any attachments for the presence of viruses. The company accepts
> > no liability for any damage caused by any virus transmitted by this
> > email.
> >
> > Overture Media, Inc.
> > Direct Line: (632) 635-4785
> > Trunkline:   (632) 631-8971 Local 146
> > Fax: (632) 637-2206
> > Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. 
> Ortigas Ave.,
> > Quezon City 1100
> 
> -- 
> 
> 	Alistair Tonner
> 	nerdnet.ca
> 	Senior Systems Analyst - RSS
> 	
>      Any sufficiently advanced technology will have the 
> appearance of magic.
> 	Lets get magical!
> 

----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100

Re: firewalled dns clients

[Goetz Bock]

On Fri, Nov 07 '03 at 11:49, Fritz Mesedilla wrote:
> From their windows workstation, I want to be able to let them perform a nslookup.
> 
> I tried this and nothing happened.
> $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
> even a
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
nslookup/dns needs udp, too. And you must use the FORWARD chain if you
don't run the dns server on the firewall.

What about having a look at the rules produced by some of the
firewall generation scripts. e.g. fireHOL. (-> firehol.sf.net)
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /                     (c) 2003 as GNU FDL 1.1
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]

Re: firewalled dns clients

[Chris Brenton]

On Thu, 2003-11-06 at 22:49, Fritz Mesedilla wrote:
>
> I tried this and nothing happened.
> $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
> even a
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT

Try:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x
iptables -A FORWARD -p udp -i eth1 -s y.y.y.y -d 0/0 --dport 53 -j
ACCEPT
iptables -A FORWARD -p tcp -i eth1 -s y.y.y.y -d 0/0 --dport 53 -j
ACCEPT

x.x.x.x = Firewall's legal external IP address 
y.y.y.y = internal private subnet 
eth0 = external interface (change to eth1 if needed)
eth1 = internal interface (change to eth0 if needed)

HTH,
C

RE: firewalled dns clients

[Fritz Mesedilla]

Thanks Goetz and Chris!

I'll try that now. Sorry for the late reply. Just got in the office.


Cheers,

fritz <www.mesedilla>
---
+ Basta Ikaw Lord


-----Original Message-----
From: Chris Brenton [mailto:cbrenton@chrisbrenton.org]
Sent: Friday, November 07, 2003 6:33 PM
To: Fritz Mesedilla
Cc: Netfilter "Mailing List (E-mail)
Subject: Re: firewalled dns clients


On Thu, 2003-11-06 at 22:49, Fritz Mesedilla wrote:
>
> I tried this and nothing happened.
> $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
> even a
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT

Try:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x
iptables -A FORWARD -p udp -i eth1 -s y.y.y.y -d 0/0 --dport 53 -j
ACCEPT
iptables -A FORWARD -p tcp -i eth1 -s y.y.y.y -d 0/0 --dport 53 -j
ACCEPT

x.x.x.x = Firewall's legal external IP address 
y.y.y.y = internal private subnet 
eth0 = external interface (change to eth1 if needed)
eth1 = internal interface (change to eth0 if needed)

HTH,
C



----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100