On Tuesday 04 June 2002 12:55 am, John Jones wrote: > > If it fails, go the the DNS machine itself (10.0.0.10) and try > > > > dig samba.org > > > > and see if it can get a reply from some external nameserver. > > Yes, it works fine. Remember, this DNS server has been serving our > network for a year or two. Through the current IPCHAINS rules (and the > current, but outdated, .113 firewall) everything is fine. It is the > upgrade to IPTABLES that seems to be failing.
Okay - I think (!) I know the precise problem now. I did not realise that you're already using the DNS server on 10.0.0.10 through the old IPchains firewall. I thought it was a new DNS server behind a new firewall.... So, here's the question: What is the default route on machine 10.0.0.10 ? I bet it points to the IPchains firewall..... Therefore this is what happens: client (anywhere) contacts DNS server on 66.38.133.120, gets translated to 10.0.0.10, DNS server wants to reply to the client. DNS server's default gateway points to old IPchains firewall, so reply packet goes through there, either gets dropped because that firewall didn't see the corresponding incoming packet, so it doesn't do the reverse translation, or else it does translate it (because it translates everything), but it source translates it to 66.38.133.113, and reply comes back to the client from an address it doesn't recognise :-) Either way, no valid packet comes back to the client from 66.38.133.120 How'm I doing ? Antony.
