> On Tue, Feb 19, 2002 at 11:07:37PM +0100, Joffer wrote: > > I'm building a firewall script with iptables v1.2.5 and kernel 2.4.17, > > patched with ulog and string, among other things besides the standard > > patches in iptables. At this point (my 10th rebuild of this script or so... > > lost count) I've got a strange problem. > > > > My firewall/router box is also running as a DNS Cache for my lan and dmz. It > > has 3 nics, eth0 (lan) eth1 (dmz) eth2 (inet). > > > > After I add DNS access to my OUTPUT chain, I'm not able to list the > > iptables. Well, the TCP rule is ok, but as soon as I enable the UDP rule, > > i'm not allowed to list (iptables -L), or it takes at least 5 minutes > > between each line. If i disable the UDP rule, I get the list in like a > > second or two. > > You can get around that by typing "iptables -L -n" to tell it not to > resolve IP addresses. > > If you put a '-j LOG --log-prefix "DROP"' at the end of your iptables > script you can look through syslog to see what packets are being > dropped. Then pull out those ones and explicitly list them out in the > firewall script. > > Chris
'-n' worked fine. But why would I suddenly need '-n' ? I'm not using any outside domain names or ip addresses in my rules, so there shouldn't be much to resolv? Those few hosts on my LAN is listed in /etc/hosts anyway. And why does this occur only when I enable the UDP (which I need for DNS traffic)? If I enable UDP and disable TCP i'm also forced to use '-n'. I also think I've had both in my rules on other occations/scripts I've made. I just find it strange. I did a bit more digging before I sent this, and added the same rules to the INPUT chain: $IPTABLES -A INPUT -p TCP -i $LAN_INTERFACE -s $LAN_IP_RANGE --dport 53 -j ACCEPT $IPTABLES -A INPUT -p UDP -i $LAN_INTERFACE -s $LAN_IP_RANGE --dport 53 -j ACCEPT This worked like a charm. (DNS rule in OUTPUT was disabled). I didn't need the '-n' switch now. Why?? This is a big mystery to me. Reenabling DNS on OUTPUT chain, and removing all -j DROP rules from the script, and also removing the DROP policy, didn't do any good. With all the DENY gone, my box is completly open, but still this one line per 5 minutes or so. Is this a bug in the iptables perhaps? /Christopher
