> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Carlos Pastorino > Sent: Thursday, February 02, 2006 6:20 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Fwd: Conntrack and DNS > > > > My advice would be to have one, at the top, without specifiying the > > interface. See if that solves the problem. > > I've done it, but it didn't work. I really haven't the foggiest idea > about what must the problem be. > > I wonder if it could be the modules I'm executing (in this order): > > /sbin/modprobe ip_conntrack > /sbin/modprobe ip_conntrack_ftp > /sbin/modprobe ip_nat_ftp > /sbin/modprobe ip_tables > /sbin/modprobe ipt_limit > /sbin/modprobe ipt_LOG > /sbin/modprobe ipt_REJECT > /sbin/modprobe ipt_state > /sbin/modprobe iptable_filter > /sbin/modprobe iptable_mangle > /sbin/modprobe iptable_nat As long as you load modules before running the rules, I wouldn't think the order would be a problem. > Or the processes: > > echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all > echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > echo "1" > /proc/sys/net/ipv4/ip_forward > echo "1" > /proc/sys/net/ipv4/tcp_syncookies > echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > echo "0" > /proc/sys/net/ipv4/conf/all/log_martians > echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter > > Thanks again, > > Pastorino > These I don't know much about. About the only direction I can point you on this is conntrack. In your rules you allow any outbound DNS request to 4 DNS servers. The second DNS reply should fall under RELATED,ESTABLISHED, just like the first. Sorry I can't be more help. Derick Anderson
