Good day, Kendall,
On Fri, 31 Jul 1998, Kendall Koning wrote:
> I am having problems with DNS from behind a box doing IP-Masquerading. I
> can telnet out to the internet (from a client behind the box) using IP
> addresses, but DNS seems to hang.
>
> These are the commands I am giving to ipfwadm
>
> [root@cci1 linux-2.0.32]# ipfwadm -F -a masquerade -S 10.0.0.0/8
> -D0.0.0.0/0 -P tcp
> [root@cci1 linux-2.0.32]# ipfwadm -F -a masquerade -S 10.0.0.0/8
> -D0.0.0.0/0 -P udp
> [root@cci1 linux-2.0.32]# ipfwadm -F -l
> IP firewall forward rules, default policy: accept/masquerade
> type prot source destination ports
> acc/m tcp 10.0.0.0/8 anywhere any -> any
> acc/m udp 10.0.0.0/8 anywhere any -> any
> [root@cci1 linux-2.0.32]#
Awwwwww sugar! I just spent the last half hour writing the text
below, then went back to your original message and think I _may_ have
found the mistake. On the off chance I didn't, I'm leaving my
troubleshooting tips attached.
The problem may be your policy. It should be either accept, deny,
or reject, but _not_ accept/masquerade. If forwarding is acc/m,
everything that needs to pass through the firewall, _in_ _either_
_direction_, will get masqueraded. Masquerading is used for replacing
private IP addresses with public, not the other way around.
I give it an 80% chance that if you replace your
ipfwadm -F -p masquerade
with
ipfwadm -F -p deny
the problem will go away.
Hmmm... the answer doesn't [ed: didn't :-)] leap out at me, but
here are a few possibilities.
First off, try adding
ipfwadm -F -i masquerade -S 10.0.0.0/8 -D0.0.0.0/0 53 -P udp
ipfwadm -F -i masquerade -S 10.0.0.0/8 -Dmy.isps.name.server.ip.address/32 53 -P udp
These rules will be at the top of the list so you can see whether
you are sending requests to your isp's name server or any nameserver,
respectively. Once the problem is resolved, these can be taken out.
1) Check to make sure that your client machines are set to use
your isp's name servers (run winipcfg for W95, cat /etc/resolv.conf for
*nix)
2 ) Use nslookup from the firewall. Try nslookup
>server my.isps.name.server.ip.address
>www.whitehouse.gov
>exit
Any results? If you can't do the lookup from the firewall
machine, masquerading is not your problem.
Now use nslookup from a machine _behind_ the firewall. Do the
above test. Any results?
3) Use the statistics feature of ipfwadm. Try
ipfwadm -F -l -e -n
then ping a name you haven't looked up before (I usually use
www.state.ga.us, then for the next test just replace ga with some other 2
letter state abbreviation; this gives me 50 before I have to think of
another scheme), then run
ipfwadm -F -l -e -n
again. Have the stats for those first two rules gone up? They
should have with the dns lookup.
The ping itself may not work; see below.
4) Perhaps you can get a better picture of what's actually
happening with tcpdump. Try
tcpdump -i eth0 -q -t ip -n | grep ':53'
and
tcpdump -i eth1 -q -t ip -n | grep ':53'
in two separate windows on the firewall. If everything is working
correctly you should see something like the following (I'm doing this
from memory, so there may be errors, firewall's public nic is
17.18.30.31, isp's name server is 17.18.19.20):
10.0.0.12:1302 > 17.18.19.20:53 request, on private net
17.18.30.31:64238 > 17.18.29.30:53 request, on public side
17.18.19.20:53 > 17.18.30.31:64238 reply, on public side
17.18.19.20:53 > 10.0.0.12:1302 reply on private side
How many of the above do you get?
5) Do you have any input or output rules that might be blocking
dns?
6) I'm hoping by now you've figured out the problem. If not,
there is a fallback. Run a nameserver on the firewall machine (install
the bind, bind-utils, and caching-nameserver packages on redhat if they're
not already installed and run "/etc/rc.d/init.d/named start").
Tell your client machines to use 10.0.0.1 (or whatever your
private nic's ip address is) as their first nameserver.
Using the firewall as a nameserver will make the above symptom
(can't do dns lookups) go away, but won't make the above _problem_
go away. If you don't fix the problem, it may resurface in a different
protocol.
Once the problem is solved, I would leave the firewall nameserver
in (unless you're concerned about security holes in named, and there
have been some recently). The name service caching will make your
Internet access seem more snappy.
On an unrelated issue, unless you have specific reasons why you
don't want to allow icmp, I would suggest replacing the two rules you have
for tcp and udp with a single rule that allows any ip protocol (tcp, udp,
and icmp):
ipfwadm -F -i masquerade -S 10.0.0.0/8 -D0.0.0.0/0
ICMP is used to allow hosts to communicate about error conditions,
location changes, and allows hosts to ping each other. Turning it off may
break ipv4 in strange ways, one of which might be the dns lookup problem
you have above.
Check to see that your kernel supports ICMP masquerading; you can
find out from /usr/src/linux/.config if you're not sure.
Please keep me posted on what you find.
Cheers,
- Bill
---------------------------------------------------------------------------
Unix _is_ user friendly. It's just very selective about who its friends
are. And sometimes even best friends have fights.
William Stearns ([EMAIL PROTECTED])
Mason, buildkernel, and named2hosts are at: http://www.pobox.com/~wstearns
---------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
