* Change source port
@ 2007-11-26 22:19 netfilter
2007-11-27 1:50 ` Grant Taylor
0 siblings, 1 reply; 3+ messages in thread
From: netfilter @ 2007-11-26 22:19 UTC (permalink / raw)
To: netfilter
We have a situation where our nameservers are contacting an upstream
nameserver to resolve a name using a source port 53 and a destination
port 53. We have found out that the upstream name server will not honor
our request since the source port from our nameservers is 53. Until we
can resolve this with the upstream admin, we would like
change the source port from our name server to a high numbered port
using iptables when it tries to contact the upstream nameserver. We can
not seem to put together a rule to do this. Is it even possible?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Change source port
2007-11-26 22:19 Change source port netfilter
@ 2007-11-27 1:50 ` Grant Taylor
2007-11-27 9:21 ` G.W. Haywood
0 siblings, 1 reply; 3+ messages in thread
From: Grant Taylor @ 2007-11-27 1:50 UTC (permalink / raw)
To: Mail List - Netfilter
On 11/26/2007 4:19 PM, netfilter@buglecreek.com wrote:
> We have a situation where our nameservers are contacting an upstream
> nameserver to resolve a name using a source port 53 and a destination
> port 53. We have found out that the upstream name server will not honor
> our request since the source port from our nameservers is 53. Until we
> can resolve this with the upstream admin, we would like
> change the source port from our name server to a high numbered port
> using iptables when it tries to contact the upstream nameserver. We can
> not seem to put together a rule to do this. Is it even possible?
Refer to the IPTables man page for exact syntax, but yes you can change
the source port if you SNAT the packets.
iptables -t nat -A POSTROUTING -o ${ExtIF} -p udp --sport 53 -j SNAT
--to-source ${ExtIP}:${ExtPort}
iptables -t nat -A POSTROUTING -o ${ExtIF} -p tcp --sport 53 -j SNAT
--to-source ${ExtIP}:${ExtPort}
Grant. . . .
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Change source port
2007-11-27 1:50 ` Grant Taylor
@ 2007-11-27 9:21 ` G.W. Haywood
0 siblings, 0 replies; 3+ messages in thread
From: G.W. Haywood @ 2007-11-27 9:21 UTC (permalink / raw)
To: netfilter
Hi there,
On Mon, 26 Nov 2007, Grant Taylor wrote:
> On 11/26/2007 4:19 PM, netfilter@buglecreek.com wrote:
> > We have a situation where our nameservers are contacting an upstream
> > nameserver to resolve a name using a source port 53 and a destination
> > port 53. We have found out that the upstream name server will not honor
> > our request since the source port from our nameservers is 53. Until we
> > can resolve this with the upstream admin, we would like
> > change the source port from our name server to a high numbered port
> > using iptables when it tries to contact the upstream nameserver. We can
> > not seem to put together a rule to do this. Is it even possible?
>
> Refer to the IPTables man page for exact syntax, but yes you can change
> the source port if you SNAT the packets.
>
> iptables -t nat -A POSTROUTING -o ${ExtIF} -p udp --sport 53 -j SNAT
> --to-source ${ExtIP}:${ExtPort}
>
> iptables -t nat -A POSTROUTING -o ${ExtIF} -p tcp --sport 53 -j SNAT
> --to-source ${ExtIP}:${ExtPort}
If you use BIND V9 you could just tell the nameserver to use a
different port, without needing to mess around with iptables.
See chapter 10.15 of the O'Reilly book "DNS and BIND".
--
73,
Ged.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-11-27 9:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-26 22:19 Change source port netfilter
2007-11-27 1:50 ` Grant Taylor
2007-11-27 9:21 ` G.W. Haywood
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.