Hi Mikkel
I tried a number of things but still couldn't get it to work. It works
fine if I use port 53 on the internal server, but I'm already using that
for an internal DNS server.
I am not denying ports above 1024 in my current ruleset. I tried adding
the rules below (but inserted them at the begining of each chain), with no
change. Since replies to other outgoing requests get masqueraded properly,
I don't see why the DNS forwarder requests don't. Again, lookups for my
own domains work fine.
I also don't see why lookups failed from a masqueraded clinet when the DNS
server was on the firewall itself.
Oh, and I found one other problme while playing - from the firewal itself,
it couldn't connect to the DNS server using the external IP. Maybe this is
part of the problem?
At this point I think I'm going to put it on the firewall or another box
(unless you have any other suggestions).
On Sun, 31 Dec 2000, Mikkel L. Ellertson wrote:
> On Sun, 31 Dec 2000, Charles Galpin wrote:
>
> > Hi Mikkel
> >
> > On Sun, 31 Dec 2000, Mikkel L. Ellertson wrote:
> > > What does your firewall rules for port 53 look like,
> >
> > Ok, this is (effectively) what my firewall does (i cut out the chaff)
> >
> > $IPCHAINS -I input 1 -i $LOCALIF -y -p TCP --destination-port 53 -j ACCEPT
> > $IPCHAINS -I input 1 -i $LOCALIF -p UDP --destination-port 53 -j ACCEPT
> > $IPMASQADM portfw -a -P tcp -L $LOCALIP 53 -R 192.168.2.2 5553
> > $IPMASQADM portfw -a -P udp -L $LOCALIP 53 -R 192.168.2.2 5553
> >
> >
> Ok - I think I know what is happening. When you send out a request, the
> return comes back on port 53, but your firewall forwards it to port 5553
> on 192.168.2.2. But named is expecting the reply on port 53. What I
> would try is to comment out the "query-source address * port 53;" line
> again, and add some more rules to your firewall. Here is my section:
>
> # DNS server (53)
> # ---------------
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --source-port 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
>
> $IPADDR is the IP for the firewall connection to the internet.
> $UNPRIVPORTS is "1024:65535"
>
> When you had it running on the firewall, I assume you had the
> port 53 forwarding rules turned off, so named could see the responce on
> port 53.
correct.
thanks
charles
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
