Just tried that for you... # netstat -tnlp | grep unbound tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 3078/unbound tcp 0 0 127.0.0.1:49152 0.0.0.0:* LISTEN 3078/unbound tcp6 0 0 ::1:953 :::* LISTEN 3078/unbound
On Wed, Oct 27, 2010 at 19:32, Hayward, Bruce <[email protected]> wrote: > Hi > > Would then: > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT --to-port > 49152 > > regardless of IP address direct any ip hitting port 53 to redirect to port > 49152? > > Also do not see the port showing up with the netstat regardless of options - > does unbound not open that port when configured? > > Thanks > > Bruce > > Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) > [email protected] > > > -----Original Message----- > From: Ondřej Surý [mailto:[email protected]] > Sent: October 27, 2010 12:22 PM > To: Hayward, Bruce > Cc: [email protected] > Subject: Re: [Unbound-users] Unbound and Bind Views > > On Wed, Oct 27, 2010 at 19:14, Hayward, Bruce > <[email protected]> wrote: >> Hi >> >> I been hammering my way through this. >> >> The tool that I have on the RHEL servers is iptables (not something that we >> normally use) >> >> I have figured out enough to know that I cannot use port forwarding as this >> is to localhost. But must use thee port redirect option E.g. >> iptables -t nat -A PREROUTING -p tcp -d 142.161.130.xxx --dport 53 -j >> REDIRECT --to-ports 49152 >> iptables -t nat -A PREROUTING -p udp -d 142.161.130.xxx --dport 53 -j >> REDIRECT --to-ports 49152 >> >> Means if 142.161.130.xxx will connect at port 53 of this server then it will >> actually connected to 49152 > > I think you need -s 142... and not -d 142... here. -s is source > address, -d is destination address. > >> And in the unbound.conf file I have setup >> interface: 142.161.130....@49152 >> interface: 142.161.130....@49152 >> interface: 127.0....@53 >> interface: 127.0....@49152 >> >> When I do a netstat -na|grep -i listen - I do not see the port 49152 >> listening. > >> What am I missing? > > -l switch to nestat. > >> Bruce >> >> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) >> [email protected] >> >> >> -----Original Message----- >> From: Ondřej Surý [mailto:[email protected]] >> Sent: October 25, 2010 8:33 AM >> To: Hayward, Bruce >> Cc: [email protected] >> Subject: Re: [Unbound-users] Unbound and Bind Views >> >> Hi Bruce, >> >> it should be fairly easy to accomplish both option using DNAT on linux >> (or using other translation mechanisms either on the router or on the >> end box). >> >> f.e. on linux you can use: >> >> - 10.10.10.1 is the normal address >> - 10.10.10.2 is extra address you use to serve internal clients (can >> be localhost if NATed on the box) >> - 192.168.1.1/32 is the specific CIDR >> >> iptables -t nat -A PREROUTING -s 192.168.1.1/32 -d 10.10.10.1 -j DNAT >> --to-destination 10.10.14.2 >> >> If you do the NAT on the router before, it has the added benefit of >> splitting the load (so you can provide less loaded service to your >> customers... etc.) >> >> Ondrej >> >> On Mon, Oct 25, 2010 at 15:18, Hayward, Bruce >> <[email protected]> wrote: >>> Hey >>> >>> On specific resolvers we use bind views to direct those who come from an IP >>> in a specific CIDR to use a specific zone. We have two cases of these >>> views. >>> >>> We also use views to isolate those that should only use internal zones >>> versus those that should not use internal zones (external customers) >>> >>> Those that do not come from an IP in a specific CIDR use a global zone. >>> >>> "Views" were introduced in Bind 9. >>> >>> http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html >>> >>> Bruce >>> >>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) >>> [email protected] >>> >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Ondrej Surý >>> Sent: October 21, 2010 9:52 AM >>> To: [email protected] >>> Subject: Re: [Unbound-users] Unbound and Bind Views >>> >>> Hey Bruce, >>> >>> I think that it's pretty well documented in the mail you sent a >>> link... you setup two unbound instances and mangle the traffic from >>> set of ip addresses using standard firewall/nat features your >>> operating system has. >>> >>> Anyway maybe if you can explain what you are trying to accomplish then >>> we can propose alternative without views. >>> >>> Ondrej >>> >>> On Thu, Oct 21, 2010 at 15:32, Hayward, Bruce >>> <[email protected]> wrote: >>>> >>>> One area of Bind that we use is views to direct traffic. >>>> >>>> Before we can switch to Unbound, we would need a means of emulating >>>> views. >>>> >>>> In researching this (on Google) I came across a thread discussing this: >>>> http://www.mail-archive.com/[email protected]/msg00337.html >>>> >>>> Has anyone documented steps to accomplish this? >>>> >>>> Thanks >>>> >>>> Bruce >>>> >>>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) >>>> [email protected] >>>> >>>> >>>> >>>> >>>> Is it really necessary to print this email? >>>> >>>> MTS ALLSTREAM INC. CONFIDENTIALITY WARNING: This email message is >>>> confidential and intended only for the named recipient(s). If you are not >>>> the intended recipient, or an agent responsible for delivering it to the >>>> intended recipient, or if this message has been sent to you in error, you >>>> are hereby notified that any review, use, dissemination, distribution or >>>> copying of this message or its contents is strictly prohibited. If you >>>> have received this message in error, please notify the sender immediately >>>> and delete the original message. If there is an agreement attached with >>>> this message, such agreement will not be binding until it is signed by all >>>> parties named therein. >>>> >>>> _______________________________________________ >>>> Unbound-users mailing list >>>> [email protected] >>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >>> >>> >>> >>> -- >>> Ondřej Surý <[email protected]> >>> >>> _______________________________________________ >>> Unbound-users mailing list >>> [email protected] >>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >>> >> >> >> >> -- >> Ondřej Surý <[email protected]> >> > > > > -- > Ondřej Surý <[email protected]> > -- Ondřej Surý <[email protected]> _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
