Thank you for your time Alister.
I have a content-only DNS in DMZ (tinydns), check it so I'm convice it work, and the default gateway allready pointing to 192.168.0.1 for both DNS server and web server.
The tinydns is authoritive for all 3 domains (althougt it is the same company).
On gateway I have dnscache to resolv for local and LAN. Listen only to 127.0.0.1 and 192.168.1.1 ...
I have not 2 network running on same wire - I have 2 separate networks : DMZ and LAN.
I change to:
IPTABLES -t nat -A PREROUTING --dst $DNS_1A_IP -p tcp --dport 53 \
-j DNAT --to-destination $DMZ_DNS_1A_IP
$IPTABLES -t nat -A PREROUTING --dst $DNS_1A_IP -p udp --dport 53 \
-j DNAT --to-destination $DMZ_DNS_1A_IP
-j DNAT --to-destination $DMZ_DNS_1A_IP
$IPTABLES -t nat -A PREROUTING --dst $DNS_1A_IP -p udp --dport 53 \
-j DNAT --to-destination $DMZ_DNS_1A_IP
... and for rest of DNS the same as above.
But the result it is the same: on access by IP address web server give the page, on request by name no :(:(.
From outside the same: ok by IP, no reacheable by name.
Sanday morning, before I made the change, a frient told me that it was able to access by name from i-cafe. (??) When I check out no - only by IP. After change, as I said only by IP.
tracert it was not able to reach either, not from outside not from LAN.
I'm running out of options so I'm gone install debian on other PC (I do it any way). If it not working I'll use old clasic way without DNAT, just routing to DNS and webserver.
I also running out of time, must leave the town - and hate not do the job.
So, thanks again for your time, you are very kind.
and Merry Christmans.
Alistair@xxxxxxxxx, UNEXPECTED_DATA_AFTER_ADDRESS@.SYNTAX-ERROR. wrote:
Okay ... I'm firing myself from the list till I get some vacation time in.
Ignore my previous on this subject ... I was ...... not in my left mind.
Serves me right for answering list mail after a 16hour night shift and 6
hours of christmas shopping *ggaaaa*
On December 20, 2003 04:51 pm, Alistair Tonner wrote:
> On December 19, 2003 12:31 pm, Cristian Goian wrote:
> > Hi
> > My mistake not give in enoght data. I'll start from begining because I
> > made some modifications: So I have a gatewayPC:
> > eth0 - INTERNET
> > eth1 - LAN - 192.168.1.0/24
> > eth2 - DMZ - 192.168.0.0/24
> >
> > In DMZ I have 2 PC, one for web and one for content DNS, both deserv same
> > 3 domains. IP a.b.c.240/28 and I want DNAT for them.
> >
> > On gatewayPC I have now RedHAT with 2.4.23 and iptables 1.2.9. Also have
> > now a proxy DNS to give answers to LAN and localhost. Also, temporary, I
> > have mailserver to receive and send mail for LAN and 3 domains.
> >
> > To configure iptables I use a script modified after Oskar Andeasson'
> > Tutorial. It is a long script now.
> >
> > When I conect from LAN on web server using IP adress it is OK. When a
> > query DNS (different PC than web one) no respons. When I give traceroute
> > to DNS server all packets go to my ISP, and then lost ... They are not
> > DNAT to DMZ !!
>
> Snipped out the mjority of the script.
1) we need to change the subject.
Okay ... I had the right concept in mind. Where are your clients looking to
get name resolution from ?
case a) clients are directly configured to use DNS(s) in the DMZ -- with
OUTSIDE ips
only one PREROUTING - FORWARDING rule nessesary for each DNS ipaddress,
don't filter by -i device ---
HOWEVER -- you also need to allow these DNS servers to be forwarding
servers and allow them to connect to OUTSIDE DNS servers to get details of
the outside world.
case b) clients are directly configured to use DNS(s) in DMZ -- with DMZ
addresses -- NO PREROUTING rule nessesary , Forward rule to allow LAN to DMZ
connection.
See HOWEVER above.
case c) clients configured to use OUTSIDE DNS(s) -- you need forward rules
to connect the clients to those servers, and you need rules to allow OUTSIDE
servers to talk to your (presumably) authoritative servers.
Do you know that outside connections are working correctly coming into
webservers and DNS servers?
Are you sure that all servers in the DMZ have correctly configured netmask/
default gateways?
Please tell me this is NOT a flat physical network (you do have two
physically separate networks ... not two networks running on the same wire)
Do you Yahoo!?
Yahoo! Photos - Get your photo on the big screen in Times Square
