* nat of all local dns-request to my own server
@ 2005-04-10 12:48 Philipp Päper
2005-04-10 19:59 ` Grant Taylor
0 siblings, 1 reply; 2+ messages in thread
From: Philipp Päper @ 2005-04-10 12:48 UTC (permalink / raw)
To: netfilter
hello,
i am a networkadmin of a small dormitory in germany (FH-Suderburg).
Until now we had 1 server. this server was a
router,webserver,dns,firewall. now we have a second server. both server
are running under debian/sarge. the old server is now only router
+firewall. the problem is that i don't want to tell everyone, that
he/she has to change the dns-server. so i thought, that i can redirect
every dns-request to the new server. my nat-rules for external
connections (http, smtp) are working.
networkplan:
internet
|
|
router ---- server (DNS + HTTP + EMail)
|
|
intranet
router: intern: eth0 - 192.168.112.1, extern: eth1 - 193.x.x.251, dmz:
eth2 - 10.0.0.1
server: eth0: 10.0.0.2
here are the rule i tried the last time:
EXT=eht1
EXT_IP=193.x.x.251
EXT_NET=193.x.x.0/24
DMZ=eth2
DMZ_IP=10.0.0.1
DMZ_NET=10.0.0.1/30
INT=eth0
INT_IP=192.168.112.1
INT_NET=192.168.112.0/24
SERVER_DMZ=10.0.0.2
iptables -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT
--to-destination $SERVER_DMZ
iptables -t nat -A POSTROUTING -o $INT -s $SERVER_DMZ -p tcp --dport 53
-j SNAT --to-source $INT_IP
iptables -A FORWARD -i $INT -m state --state NEW -p tcp -d $SERVER_DMZ
--dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT
--to-destination $SERVER_DMZ
iptables -t nat -A POSTROUTING -o $INT -s $SERVER_DMZ -p udp --dport 53
-j SNAT --to-source $INT_IP
iptables -A FORWARD -i $INT -m state --state NEW -p udp -d $SERVER_DMZ
--dport 53 -j ACCEPT
greets
Philipp Päper
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: nat of all local dns-request to my own server
2005-04-10 12:48 nat of all local dns-request to my own server Philipp Päper
@ 2005-04-10 19:59 ` Grant Taylor
0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2005-04-10 19:59 UTC (permalink / raw)
To: Philipp Päper; +Cc: netfilter
What you are asking for sounds simple enough. Though as I read your script below I see a few things that differ from what I would do. I would use something along these lines:
EXT=eht1
EXT_IP=193.x.x.251
EXT_NET=193.x.x.0/24
DMZ=eth2
DMZ_IP=10.0.0.1
DMZ_NET=10.0.0.1/30
INT=eth0
INT_IP=192.168.112.1
INT_NET=192.168.112.0/24
SERVER_DMZ=10.0.0.2
iptables -t nat -A PREROUTING -i $INT -s $INT_NET -d $INT_IP -p tcp --dport 53 -j DNAT --to-destination $SERVER_DMZ
iptables -t nat -A PREROUTING -i $INT -s $INT_NET -d $INT_IP -p udp --dport 53 -j DNAT --to-destination $SERVER_DMZ
iptables -t nat -A POSTROUTING -o $DMZ -s $INT_NET -d $SERVER_DMZ -p tcp --dport 53 -j SNAT --to-source $DMZ_IP
iptables -t nat -A POSTROUTING -o $DMZ -s $INT_NET -d $SERVER_DMZ -p udp --dport 53 -j SNAT --to-source $DMZ_IP
iptables -t filter -A FORWARD -i $INT -o $DMZ -s $INT_NET -d $SERVER_DMZ -p tcp -m state --state NEW -j ACCEPT
iptables -t filter -A FORWARD -i $DMZ -o $INT -s $SERVER_DMZ -d $INT_NET -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i $ING -o $DMZ -s $IMT_NET -d $SERVER_DMZ -p udp -j ACCEPT
iptables -t filter -A FORWARD -i $DMZ -o $INT -s $SERVER_DMZ -d $INT_NET -p udp -j ACCEPT
Something to keep in mind is that UDP does not have states like TCP does so you can't do a statefull match against it. What this will effectively do is take any TCP and UDP traffic coming in the $INT interface destined to the $INT_IP on port 53 DNAT it to the $SERVER_DMZ and last but not least SNATing the traffic as to appear as if it is coming from the firewall + router its self to the new server $SERVER_DMZ. The reason you want the traffic to appear as if it is coming from the firewall its self is because if it responds directly to the clients making the DNS query the traffic will appear to be coming from an IP that the client's have not been communicating with. Keep in mind that the clients are sending the DNS query to $INT_IP and they would get a response from $SERVER_DMZ which are not the same.
Grant. . . .
> networkplan:
>
> internet
> |
> |
> router ---- server (DNS + HTTP + EMail)
> |
> |
> intranet
>
> router: intern: eth0 - 192.168.112.1, extern: eth1 - 193.x.x.251, dmz:
> eth2 - 10.0.0.1
> server: eth0: 10.0.0.2
>
> here are the rule i tried the last time:
>
> EXT=eht1
> EXT_IP=193.x.x.251
> EXT_NET=193.x.x.0/24
> DMZ=eth2
> DMZ_IP=10.0.0.1
> DMZ_NET=10.0.0.1/30
> INT=eth0
> INT_IP=192.168.112.1
> INT_NET=192.168.112.0/24
>
> SERVER_DMZ=10.0.0.2
>
> iptables -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to-destination $SERVER_DMZ
> iptables -t nat -A POSTROUTING -o $INT -s $SERVER_DMZ -p tcp --dport 53 -j SNAT --to-source $INT_IP
> iptables -A FORWARD -i $INT -m state --state NEW -p tcp -d $SERVER_DMZ --dport 53 -j ACCEPT
> iptables -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to-destination $SERVER_DMZ
> iptables -t nat -A POSTROUTING -o $INT -s $SERVER_DMZ -p udp --dport 53 -j SNAT --to-source $INT_IP
> iptables -A FORWARD -i $INT -m state --state NEW -p udp -d $SERVER_DMZ --dport 53 -j ACCEPT
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-04-10 19:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-10 12:48 nat of all local dns-request to my own server Philipp Päper
2005-04-10 19:59 ` Grant Taylor
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.