From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: DNS and NAT
Date: Mon, 11 Jul 2005 16:25:20 -0500 [thread overview]
Message-ID: <42D2E3C0.1030405@gmx.co.uk> (raw)
In-Reply-To: <BAY17-F385E7ADF96986B0821571980DC0@phx.gbl>
Please don't top-post. Thank you.
Suzana Lojic-Skoric wrote:
> OK, thanks I was not sure what is the proper behavior regarding
> iptables and DNS.
The usual situation is that clients are NAT'ed out, like what you're
describing.
> If answer is not translated then how do I get DNS to work with two way NAT?
What does not work? Two-way NAT is fine. You go on to say you're not
really talking about two-way NAT:
> My internal network does not understand any of the ip addresses that
> belong to outside. So if the request for a page that is sent from
> internal network comes back from outside with an answer (ip address)
> that is not getting translated then I can't resolve the page since my
> internal network doesn't understand it and can't route to it.
Clients need to have a default route through the NAT gateway, which does
SNAT or MASQUERADE. How is it two-way if the clients can't route out?
> Is there a way around this problem? How do I get DNS to work in the type
> of environment I described?
If you don't want to allow NAT clients out for some reason, you might
check into running proxy servers, such as squid for HTTP/FTP. Only the
services you are proxying can be used by internal clients. SOCKS proxy
servers can handle multiple protocols, but I don't know anything more
about it than just that fact.
Proxy servers are a good choice in some circumstances; you maintain
maximum control over what clients can and cannot do (unless users have
shell access to the proxy server, perhaps.) But proxying is far more
resource-intensive than NAT.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
next prev parent reply other threads:[~2005-07-11 21:25 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-11 19:37 DNS and NAT Suzana Lojic-Skoric
2005-07-11 19:41 ` Jason Opperisano
2005-07-11 20:33 ` Suzana Lojic-Skoric
2005-07-11 20:44 ` Jason Opperisano
2005-07-11 21:25 ` /dev/rob0 [this message]
2005-07-11 21:36 ` Jan Engelhardt
2005-07-12 4:05 ` R. DuFresne
-- strict thread matches above, loose matches on Subject: below --
2005-07-13 17:10 Suzana Lojic-Skoric
2005-07-14 13:29 ` Jörg Harmuth
2005-07-14 15:50 ` Suzana Lojic-Skoric
2005-07-14 16:00 ` primero
2005-07-14 20:33 ` Suzana Lojic-Skoric
2005-07-15 8:53 ` Jörg Harmuth
2005-07-15 16:30 ` Suzana Lojic-Skoric
2005-07-15 16:45 ` R. DuFresne
2005-07-15 17:04 ` Suzana Lojic-Skoric
2005-07-15 18:52 ` Francesco Ciocchetti
2005-07-15 19:10 ` Suzana Lojic-Skoric
2005-07-15 19:51 ` Suzana Lojic-Skoric
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42D2E3C0.1030405@gmx.co.uk \
--to=rob0@gmx.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox