OK i will try again. I have a internal dns server with a forwarder to my isp.The internal dns server is on the iptables box.The clients use the internal dns server to resolve names on the local network.When the internal dns cannot resolve a name it forwards to my isp's dns. So my problem is with the forwarding.To get that to work i have to uncomment: iptables -P INPUT DROP and iptables -P OUTPUT DROP. When i uncomment those two rules the clients can browse the internet. what rules can i use instead of uncommenting those two rules because thats not secure? I hope this makes more sense, thanks. Regards On Fri, 27 Aug 2004 16:19:59 -0400 (EDT) Nick Taylor <nickt@xxxxxxxxxxxxx> wrote: > Your question isn't really specific enough to be sure > what's going on, but > I'm assuming that on your firewall box, the rules you > present allow DNS > queries to work, but that on clients behind the firewall, > DNS still fails, > and furthermore that you have the clients set up to use a > DNS server on > the outside of your firewall. If this is the case, try: > > iptables -A FORWARD ... > > Remember, the input and output chains are only for > traffic with a LOCAL > source or destination (same computer as firewall), > whereas forward is for > traffic that goes through the firewall computer. > > > On Fri, 27 Aug 2004, it clown wrote: > > > Date: Fri, 27 Aug 2004 22:06:00 +0200 > > From: it clown <suse@xxxxxxxxxxxxx> > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: bind 9 and iptables > > > > Hi All > > > > I have a dns with a forwarder to my isp on the iptables > > box. I am having trouble on getting dns to work > properly. > > > > When i comment: > > > > iptables -P INPUT DROP > > iptables -p OUTPUT DROP > > > > DNS will work fine and all the pc's can browse the net. > > > > I have tried the following with out any luck: > > > > iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT > > iptables -A OUTPUT -p udp --dport 53 -j ACCEPT > > iptables -A INPUT -m state --state ESTABLISHED,RELATED > -j > > ACCEPT > > > > what rule do i need to add to make things more secure > to > > get my dns working properly, thanks? > > > > Regards > > > > > > > _____________________________________________________________________ > > For super low premiums ,click here > http://www.dialdirect.co.za/quote > > _____________________________________________________________________ For super low premiums ,click here http://www.dialdirect.co.za/quote
