You has already sttoped the iptables rules to check if all works fine? I supposed that the nameserver difinition in the /etc/resolv.conf are correct... check this.
And.... a hopeful application for you is "iptraf".. that you can filter any traffic to solve the problem. The mailserver Is up and running on the same machine, right? If "yes", your rules must be added for/from the loopback interface too. (If your INPUT/OUTPUT policies are to DROP) And.... What is your default Policies for the firewall. On Thu, 2003-08-21 at 17:15, George Nicholls wrote: > Dear Listies, > > I have a issue with a rule set on iptables. I am confident that my issue > is with IPtables and not some other app, as I have run tests to isolate > the problem. > > I have a mail server (Postfix) running on RH9 with iptables at the > front. My mail fails because the server cannot resolve host names > (lookups). > > Here is a snip from my firewall ruleset concerning DNS. My ruleset has > some definitions, then DNS is the first 'real' ruleset after the obvious > silly/devious packets. > > I have run netstat and the connection from my $IPADDR to $NAMESERVER is > established with the ports as given in the rule. There is no response, > i.e. host unknown. > > Any help??:-) > > TIA > > G > > ############################################################### > # DNS Name Server > > # DNS Fowarding Name Server or client requests > > if [ "$CONNECTION_TRACKING" = "1" ]; then > /sbin/iptables -A OUTPUT -o $INTERNET -p udp \ > -s $IPADDR --sport $UNPRIVPORTS \ > -d $NAMESERVER --dport 53 \ > -m state --state NEW -j ACCEPT > fi > > /sbin/iptables -A OUTPUT -o $INTERNET -p udp \ > -s $IPADDR --sport $UNPRIVPORTS \ > -d $NAMESERVER --dport 53 -j ACCEPT > > /sbin/iptables -A INPUT -i $INTERNET -p udp \ > -s $NAMESERVER --sport 53 \ > -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT > > #............................................................... > # TCP is used for large responses > > if [ "$CONNECTION_TRACKING" = "1" ]; then > /sbin/iptables -A OUTPUT -o $INTERNET -p tcp \ > -s $IPADDR --sport $UNPRIVPORTS \ > -d $NAMESERVER --dport 53 \ > -m state --state NEW -j ACCEPT > fi > > /sbin/iptables -A OUTPUT -o $INTERNET -p tcp \ > -s $IPADDR --sport $UNPRIVPORTS \ > -d $NAMESERVER --dport 53 -j ACCEPT > > /sbin/iptables -A INPUT -i $INTERNET -p tcp ! --syn \ > -s $NAMESERVER --sport 53 \ > -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT > > #............................................................... > # DNS Caching Name Server (local server to primary server) > > if [ "$CONNECTION_TRACKING" = "1" ]; then > /sbin/iptables -A OUTPUT -o $INTERNET -p udp \ > -s $IPADDR --sport 53 \ > -d $NAMESERVER --dport 53 \ > -m state --state NEW -j ACCEPT > fi > > /sbin/iptables -A OUTPUT -o $INTERNET -p udp \ > -s $IPADDR --sport 53 \ > -d $NAMESERVER --dport 53 -j ACCEPT > > /sbin/iptables -A INPUT -i $INTERNET -p udp \ > -s $NAMESERVER --sport 53 \ > -d $IPADDR --dport 53 -j ACCEPT > -- > Regards, > ______________________________________________________________________ > > George Nicholls > +27 (0) 833 272 995 Fax +27(0) 11 462 5868 > > Pasco Risk Consultants (Pty) Ltd > P.O. Box 789 Douglasdale 2165 South Africa > > > > > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
