Hi
On Fri, Mar 8, 2013, at 02:17 AM, Steven Carr wrote:
> Hi there!
>
> What tweaking did you need to do to NAT to get it to work? I'm still
> stuck with the problem and it's looking like it's either NAT or a
> fragmentation issue for me :(
I've multiple static IPs. DNS is not on the default IP; it's mapped
inbound & outound to another of the IPs. I'd neglected to make sure xfer
access to/from the RPZ servers was set up for that IP.
I use
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -m set
--match-set DNSRPZ dst --dport 53 -j SNAT --to-source
my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp -m set
--match-set DNSRPZ dst --dport 53 -j SNAT --to-source
my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport
53 -j SNAT --to-source my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp --dport
53 -j SNAT --to-source my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -m set
--match-set DNSRPZ src --dport 53 -j SNAT --to-source
my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp -m set
--match-set DNSRPZ src --dport 53 -j SNAT --to-source
my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s
my.dns.LAN.ip --dport 53 -j SNAT --to-source my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp -s
my.dns.LAN.ip --dport 53 -j SNAT --to-source my.dns.WAN.ip
where "DNSRPZ" is a simple ipset containing the RPZ source IPs,
(re)loaded as
$IPSET -exist restore < /fw/ipsets/dnsrpz.ipset
and containing
cat /fw/ipsets/dnsrpz.ipset
create DNSRPZ hash:ip family inet hashsize 1024 maxelem
65536
add DNSRPZ 199.168.90.51
add DNSRPZ 199.168.90.52
add DNSRPZ 199.168.90.53
hth.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
