On Monday 03 June 2002 10:09 pm, John Jones wrote: > echo 1 > /proc/sys/net/ipv4/ip_forward > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -p tcp -d 10.0.0.10 --dport 53 -j ACCEPT > iptables -A FORWARD -p udp -d 10.0.0.10 --dport 53 -j ACCEPT > iptables -t nat -I PREROUTING 1 -p tcp -d 66.38.133.120 --dport 53 -j > DNAT --to 10.0.0.10:53 > iptables -t nat -I PREROUTING 1 -p udp -d 66.38.133.120 --sport 53 -j > DNAT --to 10.0.0.10:53
If this is your entire ruleset, the problem is that your name server is ging out to the Internet with a source address of 10.0.0.10, therefore nothing else can reply to it. (By the way, you should change that --sport in the last rule to --dport.) Anyway, I'm happy to have a go at a ruleset for you, but please can you remind me exactly what you're trying to do ? Looking back over the thread of this question, you've said you're trying to redirect DNS requests to a name server on the DMZ - is this DNS requests from machines on the internal LAN, or machines on the outside (or both) ? I'll assume for the moment you've got an internal LAN, a DMZ with a DNS server on it, and you want to make sure that all DNS requests from machines on the internal LAN get redirected to the DMZ DNS server, which can then go out to the Internet to resolve queries. If that's wrong, just let me know and I'll have another go. iptables -A PREROUTING -t nat -i $LAN_IF -p tcp --dport 53 -j DNAT --to 10.0.0.10 iptables -A PREROUTING -t nat -i $LAN_IF -p udp --dport 53 -j DNAT --to 10.0.0.10 These two rules will catch all DNS lookups from internal machines and send them to the DNS server on 10.0.0.10 iptables -A POSTROUTING -t nat -o $EXT_IF -j SNAT --to $EXT_IP This rule will masquerade all your outgoing packets (from either the internal LAN or the DMZ) behind the external address of the firewall iptables -A FORWARD -i $LAN_IF -j ACCEPT iptables -A FORWARD -i $DMZ_IF -j ACCEPT These two rules will forward all packets which come from either the internal LAN or the DMZ through the firewall (ie they will not allow packets which come from the external interface) iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT This will allow all replies through the box, no matter where they're from. I think that should do it. Antony.
