Re: bind 9 and iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "it clown" <suse@mailbox.co.za>
To: netfilter@lists.netfilter.org
Subject: Re: bind 9 and iptables
Date: Fri, 27 Aug 2004 22:53:10 +0200	[thread overview]
Message-ID: <web-420492681@mail01.infosat.net> (raw)
In-Reply-To: <Pine.GSU.4.58.0408271617110.17638@adore.lightlink.com>

OK i will try again.

I have a internal dns server with a forwarder to my isp.The
internal dns server is on the iptables box.The clients use
the internal dns server to resolve names on the local
network.When the internal dns cannot resolve a name it
forwards to my isp's dns. 

So my problem is with the forwarding.To get that to work i
have to uncomment:

iptables -P INPUT DROP and iptables -P OUTPUT DROP.

When i uncomment those two rules the clients can browse the
internet.

what rules can i use instead of uncommenting those two
rules because thats not secure?

I hope this makes more sense, thanks.

Regards

On Fri, 27 Aug 2004 16:19:59 -0400 (EDT)
 Nick Taylor <nickt@lightlink.com> wrote:
> Your question isn't really specific enough to be sure
> what's going on, but
> I'm assuming that on your firewall box, the rules you
> present allow DNS
> queries to work, but that on clients behind the firewall,
> DNS still fails,
> and furthermore that you have the clients set up to use a
> DNS server on
> the outside of your firewall.  If this is the case, try:
> 
> iptables -A FORWARD ...
> 
> Remember, the input and output chains are only for
> traffic with a LOCAL
> source or destination (same computer as firewall),
> whereas forward is for
> traffic that goes through the firewall computer.
> 
> 
>  On Fri, 27 Aug 2004, it clown wrote:
> 
> > Date: Fri, 27 Aug 2004 22:06:00 +0200
> > From: it clown <suse@mailbox.co.za>
> > To: netfilter@lists.netfilter.org
> > Subject: bind 9 and iptables
> >
> > Hi All
> >
> > I have a dns with a forwarder to my isp on the iptables
> > box. I am having trouble on getting dns to work
> properly.
> >
> > When i comment:
> >
> > iptables -P INPUT DROP
> > iptables -p OUTPUT DROP
> >
> > DNS will work fine and all the pc's can browse the net.
> >
> > I have tried the following with out any luck:
> >
> > iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> > iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED
> -j
> > ACCEPT
> >
> > what rule do i need to add to make things more secure
> to
> > get my dns working properly, thanks?
> >
> > Regards
> >
> >
> >
>
_____________________________________________________________________
> > For super low premiums ,click here
> http://www.dialdirect.co.za/quote
> >

_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

next prev parent reply	other threads:[~2004-08-27 20:53 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-27 20:06 bind 9 and iptables it clown
2004-08-27 20:19 ` Nick Taylor
2004-08-27 20:53   ` it clown [this message]
2004-08-27 21:02     ` Nick Taylor
2004-08-27 20:37 ` Aleksandar Milivojevic
2004-08-28  0:44   ` Nick Drage
2004-08-28  5:02     ` Aleksandar Milivojevic
  -- strict thread matches above, loose matches on Subject: below --
2004-08-27 20:16 Jason Opperisano
2004-08-27 21:10 ` it clown
2004-08-27 21:00 Jason Opperisano
2004-08-27 21:19 Jason Opperisano
     [not found] <D5C9032B2B09C64EA2409D6214E91AC90512F9@asimail2.alphanumeric.co m>
2004-08-27 23:32 ` it clown
     [not found] ` <D5C9032B2B09C64EA2409D6214E91AC90512F9@asimail2.alphanumeric.com>
2004-08-28  0:47   ` Nick Drage
2004-08-28  1:58     ` Jose Maria Lopez
2004-08-28  4:40     ` dchemko
2004-08-27 23:34 Jason Opperisano
2004-08-28  0:00 ` it clown
2004-08-27 23:40 Daniel Chemko
2004-08-30 19:08 Jason Opperisano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=web-420492681@mail01.infosat.net \
    --to=suse@mailbox.co.za \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.