I can't resolve DNS name

I can't resolve DNS name

[Daniel Arjona]

Hello:

I tried to configure an iptables firewall, but i can't.  I need cofigure
this to use FTP, Kazaa, Internet, ICQ and access the IMAP server of Netscape
with my Netscape Client.

Observations:
I have LRH 8.0 and iptables is in the my unique server with squid, qmail and
others.
My router is directly connected to the NIC of the server.
When i try to connect to any FTP Server, i recieve this message "I can't
resolve DNS name"
I can't do ping to any IP Address



Regards from Panama,

Daniel Arjona

PD:  Please see mi script and my outputs to the commands:
        iptables -L -n
        iptables -t nat -L


############################################################################
##
#!/bin/sh
# SCRIPT de IPTABLES
# Firewall entre red-local e internet con servicios abiertos de puerto
############################################################################

################################################  FLUSH de reglas
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
####################################################### Cargo Variables
PRIVATE_NET=192.160.33.0/24
PRIVATE_NIC=eth1
PUBLIC_NIC=eth0
################################################### Establecemos politica
ACEPTAR por defecto
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
####################################################### INPUTS 143=IMAP,
25=SMTP, 110=POP3
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s $PRIVATE_NET -i $PRIVATE_NIC -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 110 -j ACCEPT
###########################################################################
# FORWARDS
## FORWARD ACEPTED 80=HTTP, 143=IMAP, 53=DNS, 21=FTP, 1214=KAZAA
iptables -A FORWARD -s $PRIVATE_NET -i $PRIVATE_NIC -p tcp --dport 80 -j
ACCEPT
iptables -A FORWARD -s $PRIVATE_NET -i $PRIVATE_NIC -p tcp --dport 143 -j
ACCEPT
iptables -A FORWARD -s $PRIVATE_NET -i $PRIVATE_NIC -p tcp --dport 53 -j
ACCEPT
iptables -A FORWARD -s $PRIVATE_NET -i $PRIVATE_NIC -p udp --dport 53 -j
ACCEPT
iptables -A FORWARD -s $PRIVATE_NET -i $PRIVATE_NIC -p tcp --dport 21 -j
ACCEPT
iptables -A FORWARD -s $PRIVATE_NET -i $PRIVATE_NIC -p tcp --dport 1214 -j
ACCEPT
iptables -A FORWARD -s $PRIVATE_NET -i $PRIVATE_NIC -p tcp --dport 3128 -j
ACCEPT

## FORWARD DENIED
# iptables -A FORWARD -s $PRIVATE_NET -i $PRIVATE_NIC -j DROP
################################################################
ENMASCARAMIENTO
iptables -t nat -A POSTROUTING -s $PRIVATE_NET -o $PUBLIC_NIC -j  MASQUERADE
################################################################ HABILITAR
FORWARDING
echo 1 > /proc/sys/net/ipv4/ip_forward

############################################################### CERRAR
ACCESO A INDESEADOS
# iptables -A INPUT -s 0.0.0.0/0 -i $PUBLIC_NIC -p tcp --dport 1:1024 -j
DROP
# iptables -A INPUT -s 0.0.0.0/0 -i $PUBLIC_NIC -p udp --dport 1:1024 -j
DROP

## DENIED WEBMIN PORT ACCESS
# iptables -A INPUT -s 0.0.0.0/0 -i $PUBLIC_NIC -p tcp --dport 10000 -j DROP

service iptables save

# Fin del script


*************************************
[root@transito root]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.160.33.0/24      anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 ******************************************

[root@transito root]# iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.160.33.0/24      0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:80
ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:143
ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:53
ACCEPT     udp  --  192.160.33.0/24      0.0.0.0/0          udp dpt:53
ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:21
ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:1214

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Re: I can't resolve DNS name

[cc]

Daniel Arjona wrote:

> Hello:
> 
> I tried to configure an iptables firewall, but i can't.  I need cofigure
> this to use FTP, Kazaa, Internet, ICQ and access the IMAP server of Netscape
> with my Netscape Client.
> 
> Observations:
> I have LRH 8.0 and iptables is in the my unique server with squid, qmail and
> others.
> My router is directly connected to the NIC of the server.
> When i try to connect to any FTP Server, i recieve this message "I can't
> resolve DNS name"
> I can't do ping to any IP Address

Try the following:

1) Ping your loopback.
2) ping your server's Internal IP.
3) Ping anyone one of your LAN IP.

4) Ping your router.  (You didn't mention if
your router has an IP.  I'm assuming it has.)

You didn't mention from where you were trying to connect.

5) If the above pings correctly, then check if you've
set up your routing tables correctly.  What happens
when you enter 'route'?  What's the ip of your eth0?


I don't know if the above might help.

Re: I can't resolve DNS name

[Ralf Spenneberg]

Am Fre, 2003-08-29 um 19.38 schrieb Daniel Arjona:
> Observations:
> I have LRH 8.0 and iptables is in the my unique server with squid, qmail and
> others.
> My router is directly connected to the NIC of the server.
> When i try to connect to any FTP Server, i recieve this message "I can't
> resolve DNS name"
> I can't do ping to any IP Address
Looking at the iptables output below, I do not see any drop rule. Your
firewall code does not stop any packet. If you can't resolve any name,
test your name resolution and ping an ip-address, like:
ping 217.160.128.61
If that does not work, check your routing.
> echo 1 > /proc/sys/net/ipv4/ip_forward
> [root@transito root]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  192.160.33.0/24      anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>  ******************************************
> 
> [root@transito root]# iptables -L -n
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  192.160.33.0/24      0.0.0.0/0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:80
> ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:143
> ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:53
> ACCEPT     udp  --  192.160.33.0/24      0.0.0.0/0          udp dpt:53
> ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:21
> ACCEPT     tcp  --  192.160.33.0/24      0.0.0.0/0          tcp dpt:1214
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org