From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Brian Ugie" Subject: Re: iptables and DNS Date: Tue, 04 Jun 2002 10:41:58 -0700 Sender: netfilter-admin@lists.samba.org Message-ID: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: ramin@cannon.eng.us.uu.net Cc: netfilter@lists.samba.org Below is the hosts portion of nsswitch.conf. The actual hosts file is below that. I have also included the simple config that I am using for iptables. I have seen the -n option but it is not relevant for appending, inserting or replacing. It only applies to listing (output) --Brian #hosts: db files nisplus nis dns hosts: files dns # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 testbox localhost.localdomain localhost 10.1.1.13 ns2.pzs.com=20 # Generated by iptables-save v1.2.3 on Tue Jun 4 10:33:01 2002 *filter :INPUT DROP [14:722] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [129912:18396846] -A INPUT -d 10.1.1.13 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT # Completed on Tue Jun 4 10:33:01 2002 >>> Ramin Alidousti 06/04/02 10:28AM >>> On Tue, Jun 04, 2002 at 09:51:31AM -0700, Brian Ugie wrote: > Hi, >=20 > I am hoping that someone can explain the role that DNS has in > relation to iptables and if there is a way to stop iptables from > resolving.=20 >=20 > I have a network where a netscreen firewall sits in front or our > servers. We map public IPs to the servers and do initial port filtering > from the netscreen. We also want to have each machine filter just in > case the windows box gets compromised ;). It has seemed to me that > iptables will not first use /etc/hosts to resolve but will go straight > to the DNS server. Is this a valid statement? No. gethostbyaddr would go through the preference list in nsswitch.conf. This is part of a library and iptables uses it. #include > nsswitch.conf lists file > first. Since DNS will resolve the server to a public address but it is > actually on a private address, iptables get confused and the net result > is long delays on ssh and ftp logins and server time outs on DNS > queries.=20 Do you have "hosts: files dns" in your nsswitch.conf and have the correct setup in /etc/hosts? >=20 > To test my theory I set the DNS record to the private ip and that > worked like a champ. I feel that I am left with only the option to > create views in bind. >=20 > Has anyone else out there seen this or know of a better solution?=20 You can also provide "-n" to the iptables command to avoid names: man iptables: ... -n, --numeric Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the pro=A1 gram will try to display them as host names, net=A1 work names, or services (whenever applicable). ... Ramin >=20 > Thanks in advance, >=20 > Brian