Hello, I noticed you have an output rule to allow anything going out on loopback, does this mean your default output rule is DROP? If so I think you`re missing a rule to allow related and established output packets to go out: iptables -A OUTPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT and also for eth1 I suppose.
Also you might want to make sure your DNS software uses port 53 to reply, or else a lot of traffic will be coming from a high random port (client) to 53 (server) and the replys will be from a high random port (server) to an high random port (client). True, the established and related rules should enable this to work but it might be simpler for you to start with to make the dns server to always use port 53. For BIND 9.x you`d add "query-source address * port 53" , "notify-source * port 53" and "transfer-source * port 53". For other software look it up. :) Also just an idea but you might want to log everything else instead of dropping it, and then just follow your /var/log/messages or whatever log file to see what packets are being dropped. I know that`s how I usually fixed most of my "problems". :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of PAUL WILLIAMSON Sent: Wednesday, May 15, 2002 1:56 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Netfilter/iptables/NAT/DNS problems Ok, here are my rules... #First, flush all iptables -F iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp -i eth0 --dport 23 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport 23 -j ACCEPT iptables -A INPUT -p tcp -i eth1 --dport 23 -j ACCEPT iptables -A INPUT -p udp -i eth1 --dport 23 -j ACCEPT iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT iptables -P INPUT DROP iptables -A OUTPUT -p icmp -d 0/0 -j DROP # NAT section modprobe iptable_nat # In the NAT table (-t nat), append a rule (-A) after routing # (POSTROUTING) for all packets going out eth0 (-o eth0) which # says to MASQUERADE the connection (-j MASQUERADE) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # end of iptables config After looking at this again, I think I'm missing how DNS gets looked up on the outside. My problem with DNS is that my ISP has different DNS servers depending on what DHCP region I am assigned. Oddly enough, it has been switching around the last few weeks, so I'm pretty confused. Anyway, when the DNS servers change, I don't want to go around to all 50 machines to change it. I'd rather just point them all to the firewall. I'm thinking about setting up another box inside the firewall that would do DNS, but be semi- protected from wondering eyes. What files would I look in for failed DNS attempts? I've looked in /var/log/messages, but othing shows up there. Thanks, Paul >>> <[EMAIL PROTECTED]> 05/14/02 19:34 PM >>> On Tue, May 14, 2002 at 07:18:01PM -0400, PAUL WILLIAMSON wrote: > I have been over the HOWTO, most exampes I can find > and I still can't get things working entirely correct. > > I've looked in the archives, and that's gotten me > about 95% of the way. *But that last 5% is killing > me. > > external net-----firewall/dns-----internal net Rather than any of us giving examples, what rules have you used... > I'd like anything sourced from inside to be able to get outside. for that? > I'd like nothing outside to be able to get in, other > that traffic that originated from inside. and that? > I'd like ssh to be accepted from only internal > connections. and that? > I want all my internal network machines to use the > DNS on the firewall. *The DNS on the firewall is > pointing to a "real" internet DNS server. I presume this is done in the DNS server's configuration itself, designating them as forwarders? > I want all my machines to be NAT'ed going through the > firewall out to the internet. What rule do you use for that? > I have a cable modem with a dynamically assigned IP > address, and depending on what range I get assigned > to, I may end up with different DNS servers. Why? I would have thought you'll always be connecting to the same ISP, and therefore can always use their DNS servers. > *I'd like my internal machines to use the firewall as the DNS server, and > have the firewall actually do the requesting out to the internet. > I can surf the internet from the linux firewall/dns box. That sounds fine. > I can get as far as being able to ping real ip > addresses on the internet from any internal machine, > but I can't ping DNS names of those same sites. > Obviously, I don't quite have things set up > correctly. OK, that looks like a DNS problem. Are you logging all DROP'd or REJECT'd connection attempts? If so, are any logs bein generated that look related to DNS requests? > Also, I can't get ssh to be accepted, PuTTy gives me > an error that "Software caused connection abort." Anything in the logs on the firewall? Anything interesting pop up if you run tcpdump on the relevant interface of the firewall? > BTW, most internal machines are Windoze2000 or XP. > There are one or two crazy people that run linux > on their desktop (me included...) *But I'm not too > concerned, because I think the problem is in how the > iptable rules are accepting requests on port 53, eth1 > (internal network) right? Yes, this sounds like iptables isn't directly the problem. -- FunkyJesus System Administration Team
