how to let recursive nameserver through

All of lore.kernel.org
 help / color / mirror / Atom feed

From: iptables-user@lists.theorb.net
To: netfilter@lists.netfilter.org
Subject: how to let recursive nameserver through
Date: Thu, 20 Oct 2005 12:50:38 -0700	[thread overview]
Message-ID: <4357F50E.20907@lists.theorb.net> (raw)

Hi all,

I have a 3-leg router/firewall and would like to run a recursive caching
nameserver (djb's dnscache) on it, but can't figure out how to get it
past the firewall to query upstream nameservers.

eth0 : lan
eth1 : wan which connects to default gateway to internet
eth2 : dmz (10.0.0.1 for 10.0.0.0/24)

dnscache is running on ip 10.0.0.1 on eth2.  If it cannot resolve the
query from a local (inside) authority it must go outside and begin by
querying the root-servers via eth1.  This is where it fails.

If I run dnscache on a machine attached to eth2 requests are FORWARDED
from eth2 to eth1, then via the gateway and all is well; however, when
run ON eth2 outbound traffic is blocked.

Default policies are INPUT:DROP, FORWARD:DROP, OUTPUT:ACCEPT.

I can't even figure out where to try to put a rule for this, or how to
write it.  Since it's an address ON the router it wouldn't be on the
FORWARD chain, right?

I'm totally baffled.  Anybody have any ideas where to begin debugging this?

Thanks for any help.

next             reply	other threads:[~2005-10-20 19:50 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-10-20 19:50 iptables-user [this message]
2005-10-21  3:00 ` how to let recursive nameserver through Henrik Nordstrom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4357F50E.20907@lists.theorb.net \
    --to=iptables-user@lists.theorb.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.