On Thu, 20 Oct 2005 iptables-user@xxxxxxxxxxxxxxxx wrote:
I have a 3-leg router/firewall and would like to run a recursive caching nameserver (djb's dnscache) on it, but can't figure out how to get it past the firewall to query upstream nameservers.
It needs to be allowed to universially query port 53 on UDP and TCP (OUTPUT), and responses also needs to be let back (INPUT -m state --state ESABLISHED is usually sufficient for the latter).
I can't even figure out where to try to put a rule for this, or how to write it. Since it's an address ON the router it wouldn't be on the FORWARD chain, right? I'm totally baffled. Anybody have any ideas where to begin debugging this?
Make sure you always log dropped packets, with a log tag telling you which rule caused the packet to be dropped/rejected.
tcpdump is also your friend. Regards Henrik
