Microsoft uses tcp for queries too. -----Mensaje original----- De: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] En nombre de Samuel Díaz García Enviado el: Jueves, 23 de Septiembre de 2004 8:10 Para: Netfilter Mailing List Asunto: Re: nat and dns For DNS query only UDP is necesary, not TCP. Regards, Nick Drage writes: > On Thu, Sep 23, 2004 at 11:00:33AM +0200, Raphael Jacquot wrote: >> hi, >> I have a setup that looks like : >> _____ ____ >> [ ] 192.168.0.100 [ ] >> [ DNS ]------------------------------[ FW ]---- >> [_____] 192.168.0.254 [____] (isp) >> >> and I want the DNS to answer to queries from the outside what's the >> proper way of doing this ? > > I'm presuming that you want to answer queries from everywhere, rather > than just from specific hosts, in which case: > > iptables -t nat -A PREROUTING --destination $EXTERNAL_IP -p udp > --dport > 53 -j DNAT --to-destination 192.168.0.100 > > iptables -t nat -A PREROUTING --destination $EXTERNAL_IP -p tcp > --dport > 53 -j DNAT --to-destination 192.168.0.100 > > iptables -A FORWARD --destination 192.168.0.100 -p udp --dport 53 -j > ACCEPT > > iptables -A FORWARD --destination 192.168.0.100 -p tcp --dport 53 -j > ACCEPT > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > I'd be interested to hear how you get on by the way, I'm not quite > sure that my iptables rulebases are keeping state on DNS requests correctly. > > -- > mors omnia vincit > Samuel Díaz García Director Gerente ArcosCom Wireless, S.L.L. mailto:samueldg@xxxxxxxxxxxx http://www.arcoscom.com móvil: 651 93 72 48 tlfn/fax: 956 70 13 15
