* unsubscribe telefon jackfritt@boh.de
2003-01-13 11:52 DNS Mattia Martinello
@ 2003-01-13 16:10 ` Jörg Esser
2003-01-13 22:21 ` DNS Peter Johnson
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Jörg Esser @ 2003-01-13 16:10 UTC (permalink / raw)
Cc: netfilter
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: DNS
2003-01-13 11:52 DNS Mattia Martinello
2003-01-13 16:10 ` unsubscribe telefon jackfritt@boh.de Jörg Esser
@ 2003-01-13 22:21 ` Peter Johnson
2003-01-13 22:30 ` DNS Joel Newkirk
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Peter Johnson @ 2003-01-13 22:21 UTC (permalink / raw)
To: netfilter
I am experiencing a similar sort of thing, I am using the 2.4.20 kernel.
I put logging everywhere and also tcpdumped my interfaces and what I
found was that as soon at the PREROUTING DNAT rule was reached the
packet disappeared. It was not forwarded and certainly didn't reach the
internal server.
My rules are (I am trying HTTP, "dot" is my public interface)
$IPTABLES -t nat -A PREROUTING -i dot -p tcp --dport 80 -j DNAT --to
192.168.1.1:80
and
$IPTABLES -t filter -A FORWARD -i dot -o eth1 -p tcp --dport 80 -j
ACCEPT
I look forward to hearing any advice to further debug this situation or
if the solution is obvious then please let me (us) know.
btw. I am forwarding local traffic out successfully.
Regards,
Peter Johnson
On Mon, 2003-01-13 at 22:52, Mattia Martinello wrote:
> Hi all
>
> I wish to open DNS connections and redirect it from the gateway and the
> server on the DMZ.
> I tried these rules:
>
> iptables -t nat -A PREROUTING -p tcp -i ppp0 -d [public IP] --dport 53
> -j DNAT --to [private IP]:53
> iptables -A FORWARD -i ppp0 -d [private IP] -p tcp --dport 53 -j ACCEPT
>
> iptables -t nat -A PREROUTING -p udp -i ppp0 -d [public IP] --dport 53
> -j DNAT --to [private IP]:53
> iptables -A FORWARD -i ppp0 -d [private IP] -p tcp --dport 53 -j ACCEPT
>
> But if I try to query my DNS server from the Internet my query goes in
> timeout.
> The connections between [private IP] and the Internet are allowed (all
> other services work good without any problem, the only service that gets
> me some problems is DNS).
>
> What have I to open to allow DNS connections from the gateway and the DMZ?
>
> Thank you very much
> Bye
> Mattia
>
>
--
Give a man a fish and you feed him for a day. Teach him to use the Net
and he won't bother you for weeks.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: DNS
2003-01-13 11:52 DNS Mattia Martinello
2003-01-13 16:10 ` unsubscribe telefon jackfritt@boh.de Jörg Esser
2003-01-13 22:21 ` DNS Peter Johnson
@ 2003-01-13 22:30 ` Joel Newkirk
2003-01-15 8:13 ` unsubscribe telefon jackfritt@boh.de Jörg Esser
2003-02-12 9:06 ` DNS Tarek W.
4 siblings, 0 replies; 6+ messages in thread
From: Joel Newkirk @ 2003-01-13 22:30 UTC (permalink / raw)
To: Mattia Martinello, netfilter
On Monday 13 January 2003 06:52 am, Mattia Martinello wrote:
> Hi all
>
> I wish to open DNS connections and redirect it from the gateway and
> the server on the DMZ.
> I tried these rules:
>
> iptables -t nat -A PREROUTING -p tcp -i ppp0 -d [public IP] --dport 53
> -j DNAT --to [private IP]:53
> iptables -A FORWARD -i ppp0 -d [private IP] -p tcp --dport 53 -j
> ACCEPT
>
> iptables -t nat -A PREROUTING -p udp -i ppp0 -d [public IP] --dport 53
> -j DNAT --to [private IP]:53
> iptables -A FORWARD -i ppp0 -d [private IP] -p tcp --dport 53 -j
> ACCEPT
Do you also have a FORWARD rule ACCEPTing UDP port 53? It may be a type
in the mail, but your FORWARD rules are both for TCP here...
BTW, the :53 in the DNAT destination is unnecessary, it will keep the
same port unless you specify something different. Not an issue, just a
comment. :^)
j
> But if I try to query my DNS server from the Internet my query goes in
> timeout.
> The connections between [private IP] and the Internet are allowed (all
> other services work good without any problem, the only service that
> gets me some problems is DNS).
>
> What have I to open to allow DNS connections from the gateway and the
> DMZ?
>
> Thank you very much
> Bye
> Mattia
^ permalink raw reply [flat|nested] 6+ messages in thread
* unsubscribe telefon jackfritt@boh.de
2003-01-13 11:52 DNS Mattia Martinello
` (2 preceding siblings ...)
2003-01-13 22:30 ` DNS Joel Newkirk
@ 2003-01-15 8:13 ` Jörg Esser
2003-02-12 9:06 ` DNS Tarek W.
4 siblings, 0 replies; 6+ messages in thread
From: Jörg Esser @ 2003-01-15 8:13 UTC (permalink / raw)
To: netfilter
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: DNS
2003-01-13 11:52 DNS Mattia Martinello
` (3 preceding siblings ...)
2003-01-15 8:13 ` unsubscribe telefon jackfritt@boh.de Jörg Esser
@ 2003-02-12 9:06 ` Tarek W.
4 siblings, 0 replies; 6+ messages in thread
From: Tarek W. @ 2003-02-12 9:06 UTC (permalink / raw)
To: netfilter
ur second forward rule matches tcp conns when it should match udp.
On Mon, 2003-01-13 at 09:52, Mattia Martinello wrote:
> Hi all
>
> I wish to open DNS connections and redirect it from the gateway and the
> server on the DMZ.
> I tried these rules:
>
> iptables -t nat -A PREROUTING -p tcp -i ppp0 -d [public IP] --dport 53
> -j DNAT --to [private IP]:53
> iptables -A FORWARD -i ppp0 -d [private IP] -p tcp --dport 53 -j ACCEPT
>
> iptables -t nat -A PREROUTING -p udp -i ppp0 -d [public IP] --dport 53
> -j DNAT --to [private IP]:53
> iptables -A FORWARD -i ppp0 -d [private IP] -p tcp --dport 53 -j ACCEPT
>
> But if I try to query my DNS server from the Internet my query goes in
> timeout.
> The connections between [private IP] and the Internet are allowed (all
> other services work good without any problem, the only service that gets
> me some problems is DNS).
>
> What have I to open to allow DNS connections from the gateway and the DMZ?
>
> Thank you very much
> Bye
> Mattia
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread