On Tue, May 14, 2002 at 07:18:01PM -0400, PAUL WILLIAMSON wrote: > I have been over the HOWTO, most exampes I can find > and I still can't get things working entirely correct. > > I've looked in the archives, and that's gotten me > about 95% of the way. *But that last 5% is killing > me. > > external net-----firewall/dns-----internal net
Rather than any of us giving examples, what rules have you used... > I'd like anything sourced from inside to be able to get outside. for that? > I'd like nothing outside to be able to get in, other > that traffic that originated from inside. and that? > I'd like ssh to be accepted from only internal > connections. and that? > I want all my internal network machines to use the > DNS on the firewall. *The DNS on the firewall is > pointing to a "real" internet DNS server. I presume this is done in the DNS server's configuration itself, designating them as forwarders? > I want all my machines to be NAT'ed going through the > firewall out to the internet. What rule do you use for that? > I have a cable modem with a dynamically assigned IP > address, and depending on what range I get assigned > to, I may end up with different DNS servers. Why? I would have thought you'll always be connecting to the same ISP, and therefore can always use their DNS servers. > *I'd like my internal machines to use the firewall as the DNS server, and > have the firewall actually do the requesting out to the internet. > I can surf the internet from the linux firewall/dns box. That sounds fine. > I can get as far as being able to ping real ip > addresses on the internet from any internal machine, > but I can't ping DNS names of those same sites. > Obviously, I don't quite have things set up > correctly. OK, that looks like a DNS problem. Are you logging all DROP'd or REJECT'd connection attempts? If so, are any logs being generated that look related to DNS requests? > Also, I can't get ssh to be accepted, PuTTy gives me > an error that "Software caused connection abort." Anything in the logs on the firewall? Anything interesting pop up if you run tcpdump on the relevant interface of the firewall? > BTW, most internal machines are Windoze2000 or XP. > There are one or two crazy people that run linux > on their desktop (me included...) *But I'm not too > concerned, because I think the problem is in how the > iptable rules are accepting requests on port 53, eth1 > (internal network) right? Yes, this sounds like iptables isn't directly the problem. -- FunkyJesus System Administration Team
