Re: ping to internet hosts through NameServer of provider

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On Tuesday 09 March 2004 9:29 am, Stanislav Puffler DiS. wrote:

> Hi all,
> i´m newbie to fw, have just installed iptables and configured. Have 3
> interfaces, eth0 - internet, eth1 - DMZ (squid, postfix), eth2 - LAN. My
> provider has connected my firewall to the Internet via 1 public IP (on
> eth0). Internet hosts are resolved via provider´s Name Server (this IP
> is in /etc/resolv.conf). If I tried ping to (for example) www.rb.cz
> before installing iptables, there was no problem. Now, after installing
> iptables, I can´t ping to internet hosts correctly (only on IP - it is
> without need of contacting providers NS) - it is working like this :
>
> [user@machine]$ ping www.rb.cz
> IN=eth0 OUT= MAC=.............. SRC="my_providers_nameserver_ip"
> DST="ip_on_my_eth0" LEN=127 TOS=0x00 PREC=0x00 TTL=61 ID=3268 DF
> PROTO=UDP SPT=53 DPT=32792 LEN=107

So you have a LOGging rule (presumably some time before a DROP rule - not many 
people LOG ACCEPTed packets), which shows that you are blocking DNS replies 
from your ISP.   Hence you cannot resolve IP addresses.

> Ping to resolved IP of www.rb.cz is no problem (ping 193.86.103.40 -
> returns a normal replay). Could anyone help me please how to set up
> carefully and secure rule to maintain this problem - to permit my
> provider´s NS to resolv internet hosts ?

Please tell us your ruleset (either the iptables commands you use to set up 
the rules, or the output of "iptables -L -nv; iptables -L -t nat -nv") and we 
can suggest what might be wrong.

If you are new to networking as well as netfilter, please read one of the 
excellent tutorials accessible from http://www.netfilter.org and this will 
help you get a basic setup working.   I can recommend Oskar Andreasson's 
tutorial at http://iptables-tutorial.frozentux.net

Regards,

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.
[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux