Below is the hosts portion of nsswitch.conf. The actual hosts file is
below that. I have also included the simple config that I am using for
iptables. I have seen the -n option but it is not relevant for
appending, inserting or replacing. It only applies to listing (output)
--Brian
#hosts: db files nisplus nis dns
hosts: files dns
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 testbox localhost.localdomain localhost
10.1.1.13 ns2.pzs.com
# Generated by iptables-save v1.2.3 on Tue Jun 4 10:33:01 2002
*filter
:INPUT DROP [14:722]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [129912:18396846]
-A INPUT -d 10.1.1.13 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -d 10.1.1.13 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Tue Jun 4 10:33:01 2002
>>> Ramin Alidousti <[EMAIL PROTECTED]> 06/04/02 10:28AM >>>
On Tue, Jun 04, 2002 at 09:51:31AM -0700, Brian Ugie wrote:
> Hi,
>
> I am hoping that someone can explain the role that DNS has in
> relation to iptables and if there is a way to stop iptables from
> resolving.
>
> I have a network where a netscreen firewall sits in front or our
> servers. We map public IPs to the servers and do initial port
filtering
> from the netscreen. We also want to have each machine filter just in
> case the windows box gets compromised ;). It has seemed to me that
> iptables will not first use /etc/hosts to resolve but will go
straight
> to the DNS server. Is this a valid statement?
No. gethostbyaddr would go through the preference list in
nsswitch.conf.
This is part of a library and iptables uses it. #include <netdb.h>
> nsswitch.conf lists file
> first. Since DNS will resolve the server to a public address but it
is
> actually on a private address, iptables get confused and the net
result
> is long delays on ssh and ftp logins and server time outs on DNS
> queries.
Do you have "hosts: files dns" in your nsswitch.conf and have the
correct setup in /etc/hosts?
>
> To test my theory I set the DNS record to the private ip and that
> worked like a champ. I feel that I am left with only the option to
> create views in bind.
>
> Has anyone else out there seen this or know of a better solution?
You can also provide "-n" to the iptables command to avoid names:
man iptables:
...
-n, --numeric
Numeric output. IP addresses and port numbers will
be printed in numeric format. By default, the pro�
gram will try to display them as host names, net�
work names, or services (whenever applicable).
...
Ramin
>
> Thanks in advance,
>
> Brian
