It seems like anything you´ve described. Here is the ruleset :
iptables -L -nv
Chain INPUT (policy ACCEPT 66 packets, 2754 bytes)
pkts bytes target prot opt in out source
destination
1332 179K RH-Lokkit-0-50-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 85 packets, 5151 bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Lokkit-0-50-INPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * * 80.95.96.7
0.0.0.0/0 udp spt:53 dpts:1025:65535
10 700 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 192.168.0.11
0.0.0.0/0 udp spt:53
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02 reject-with icmp-port-unreachable
1256 175K REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp reject-with icmp-port-unreachable
iptables -L -t nat -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
As for tutorials - I have read some czech one, I´ll read those from
netfilter.org too of course... Thanks in advance,
Stanley.
-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone
Sent: Tuesday, March 09, 2004 11:40 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: ping to internet hosts through NameServer of provider
On Tuesday 09 March 2004 9:29 am, Stanislav Puffler DiS. wrote:
> Hi all,
> i´m newbie to fw, have just installed iptables and configured. Have 3
> interfaces, eth0 - internet, eth1 - DMZ (squid, postfix), eth2 - LAN. My
> provider has connected my firewall to the Internet via 1 public IP (on
> eth0). Internet hosts are resolved via provider´s Name Server (this IP
> is in /etc/resolv.conf). If I tried ping to (for example) www.rb.cz
> before installing iptables, there was no problem. Now, after installing
> iptables, I can´t ping to internet hosts correctly (only on IP - it is
> without need of contacting providers NS) - it is working like this :
>
> [user@machine]$ ping www.rb.cz
> IN=eth0 OUT= MAC=.............. SRC="my_providers_nameserver_ip"
> DST="ip_on_my_eth0" LEN=127 TOS=0x00 PREC=0x00 TTL=61 ID=3268 DF
> PROTO=UDP SPT=53 DPT=32792 LEN=107
So you have a LOGging rule (presumably some time before a DROP rule - not
many
people LOG ACCEPTed packets), which shows that you are blocking DNS replies
from your ISP. Hence you cannot resolve IP addresses.
> Ping to resolved IP of www.rb.cz is no problem (ping 193.86.103.40 -
> returns a normal replay). Could anyone help me please how to set up
> carefully and secure rule to maintain this problem - to permit my
> provider´s NS to resolv internet hosts ?
Please tell us your ruleset (either the iptables commands you use to set up
the rules, or the output of "iptables -L -nv; iptables -L -t nat -nv") and
we
can suggest what might be wrong.
If you are new to networking as well as netfilter, please read one of the
excellent tutorials accessible from http://www.netfilter.org and this will
help you get a basic setup working. I can recommend Oskar Andreasson's
tutorial at http://iptables-tutorial.frozentux.net
Regards,
Antony.
--
Most people are aware that the Universe is big.
- Paul Davies, Professor of Theoretical Physics
Please reply to the
list;
please don't CC
me.
