> OK i will try again. > > I have a internal dns server with a forwarder to my isp.The > internal dns server is on the iptables box.The clients use > the internal dns server to resolve names on the local > network.When the internal dns cannot resolve a name it > forwards to my isp's dns. > > So my problem is with the forwarding.To get that to work i > have to uncomment: from an iptables persepctive--you're problem is with the INPUT, not the FORWARD-ing > iptables -P INPUT DROP and iptables -P OUTPUT DROP. > > When i uncomment those two rules the clients can browse the > internet. > > what rules can i use instead of uncommenting those two > rules because thats not secure? you need to allow your internal hosts to contact the dns server/firewall on UDP port 53. see previous post by me, and a much more thorough one by Aleksandar Milivojevic. -j
