Hi,
On Wed, Oct 27, 2010 at 19:32, Hayward, Bruce
<[email protected]> wrote:
> Hi
>
> Would then:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT --to-port
> 49152
I think so, but it's a long time since I had to use iptables.
> regardless of IP address direct any ip hitting port 53 to redirect to port
> 49152?
>
> Also do not see the port showing up with the netstat regardless of options -
> does unbound not open that port when configured?
Try: netstat -tnlp and -unlp and if the port doesn't show up then
check the logs. (Well check the log file anyway as a first thing when
something doesn't work as expected...)
r...@ookami:~# netstat -tnlp | grep unbound
tcp 0 0 127.0.0.1:53 0.0.0.0:*
LISTEN 1715/unbound
tcp 0 0 127.0.0.1:953 0.0.0.0:*
LISTEN 1715/unbound
tcp6 0 0 ::1:53 :::*
LISTEN 1715/unbound
tcp6 0 0 ::1:953 :::*
LISTEN 1715/unbound
r...@ookami:~# netstat -anlp | grep unbound
tcp 0 0 127.0.0.1:53 0.0.0.0:*
LISTEN 1715/unbound
tcp 0 0 127.0.0.1:953 0.0.0.0:*
LISTEN 1715/unbound
tcp6 0 0 ::1:53 :::*
LISTEN 1715/unbound
tcp6 0 0 ::1:953 :::*
LISTEN 1715/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:*
1715/unbound
udp6 0 0 ::1:53 :::*
1715/unbound
unix 3 [ ] STREAM CONNECTED 9599 1715/unbound
unix 3 [ ] STREAM CONNECTED 9598 1715/unbound
unix 2 [ ] DGRAM 9586 1715/unbound
> -----Original Message-----
> From: Ondřej Surý [mailto:[email protected]]
> Sent: October 27, 2010 12:22 PM
> To: Hayward, Bruce
> Cc: [email protected]
> Subject: Re: [Unbound-users] Unbound and Bind Views
>
> On Wed, Oct 27, 2010 at 19:14, Hayward, Bruce
> <[email protected]> wrote:
>> Hi
>>
>> I been hammering my way through this.
>>
>> The tool that I have on the RHEL servers is iptables (not something that we
>> normally use)
>>
>> I have figured out enough to know that I cannot use port forwarding as this
>> is to localhost. But must use thee port redirect option E.g.
>> iptables -t nat -A PREROUTING -p tcp -d 142.161.130.xxx --dport 53 -j
>> REDIRECT --to-ports 49152
>> iptables -t nat -A PREROUTING -p udp -d 142.161.130.xxx --dport 53 -j
>> REDIRECT --to-ports 49152
>>
>> Means if 142.161.130.xxx will connect at port 53 of this server then it will
>> actually connected to 49152
>
> I think you need -s 142... and not -d 142... here. -s is source
> address, -d is destination address.
>
>> And in the unbound.conf file I have setup
>> interface: 142.161.130....@49152
>> interface: 142.161.130....@49152
>> interface: 127.0....@53
>> interface: 127.0....@49152
>>
>> When I do a netstat -na|grep -i listen - I do not see the port 49152
>> listening.
>
>> What am I missing?
>
> -l switch to nestat.
>
>> Bruce
>>
>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e)
>> [email protected]
>>
>>
>> -----Original Message-----
>> From: Ondřej Surý [mailto:[email protected]]
>> Sent: October 25, 2010 8:33 AM
>> To: Hayward, Bruce
>> Cc: [email protected]
>> Subject: Re: [Unbound-users] Unbound and Bind Views
>>
>> Hi Bruce,
>>
>> it should be fairly easy to accomplish both option using DNAT on linux
>> (or using other translation mechanisms either on the router or on the
>> end box).
>>
>> f.e. on linux you can use:
>>
>> - 10.10.10.1 is the normal address
>> - 10.10.10.2 is extra address you use to serve internal clients (can
>> be localhost if NATed on the box)
>> - 192.168.1.1/32 is the specific CIDR
>>
>> iptables -t nat -A PREROUTING -s 192.168.1.1/32 -d 10.10.10.1 -j DNAT
>> --to-destination 10.10.14.2
>>
>> If you do the NAT on the router before, it has the added benefit of
>> splitting the load (so you can provide less loaded service to your
>> customers... etc.)
>>
>> Ondrej
>>
>> On Mon, Oct 25, 2010 at 15:18, Hayward, Bruce
>> <[email protected]> wrote:
>>> Hey
>>>
>>> On specific resolvers we use bind views to direct those who come from an IP
>>> in a specific CIDR to use a specific zone. We have two cases of these
>>> views.
>>>
>>> We also use views to isolate those that should only use internal zones
>>> versus those that should not use internal zones (external customers)
>>>
>>> Those that do not come from an IP in a specific CIDR use a global zone.
>>>
>>> "Views" were introduced in Bind 9.
>>>
>>> http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html
>>>
>>> Bruce
>>>
>>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e)
>>> [email protected]
>>>
>>>
>>> -----Original Message-----
>>> From: [email protected]
>>> [mailto:[email protected]] On Behalf Of Ondrej Surý
>>> Sent: October 21, 2010 9:52 AM
>>> To: [email protected]
>>> Subject: Re: [Unbound-users] Unbound and Bind Views
>>>
>>> Hey Bruce,
>>>
>>> I think that it's pretty well documented in the mail you sent a
>>> link... you setup two unbound instances and mangle the traffic from
>>> set of ip addresses using standard firewall/nat features your
>>> operating system has.
>>>
>>> Anyway maybe if you can explain what you are trying to accomplish then
>>> we can propose alternative without views.
>>>
>>> Ondrej
>>>
>>> On Thu, Oct 21, 2010 at 15:32, Hayward, Bruce
>>> <[email protected]> wrote:
>>>>
>>>> One area of Bind that we use is views to direct traffic.
>>>>
>>>> Before we can switch to Unbound, we would need a means of emulating
>>>> views.
>>>>
>>>> In researching this (on Google) I came across a thread discussing this:
>>>> http://www.mail-archive.com/[email protected]/msg00337.html
>>>>
>>>> Has anyone documented steps to accomplish this?
>>>>
>>>> Thanks
>>>>
>>>> Bruce
>>>>
>>>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e)
>>>> [email protected]
>>>>
>>>>
>>>>
>>>>
>>>> Is it really necessary to print this email?
>>>>
>>>> MTS ALLSTREAM INC. CONFIDENTIALITY WARNING: This email message is
>>>> confidential and intended only for the named recipient(s). If you are not
>>>> the intended recipient, or an agent responsible for delivering it to the
>>>> intended recipient, or if this message has been sent to you in error, you
>>>> are hereby notified that any review, use, dissemination, distribution or
>>>> copying of this message or its contents is strictly prohibited. If you
>>>> have received this message in error, please notify the sender immediately
>>>> and delete the original message. If there is an agreement attached with
>>>> this message, such agreement will not be binding until it is signed by all
>>>> parties named therein.
>>>>
>>>> _______________________________________________
>>>> Unbound-users mailing list
>>>> [email protected]
>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>>
>>>
>>>
>>> --
>>> Ondřej Surý <[email protected]>
>>>
>>> _______________________________________________
>>> Unbound-users mailing list
>>> [email protected]
>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>>
>>
>>
>>
>> --
>> Ondřej Surý <[email protected]>
>>
>
>
>
> --
> Ondřej Surý <[email protected]>
>
--
Ondřej Surý <[email protected]>
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
