iptables and dns

dedexes · 02-15-2008, 10:19 AM

Picture
In B server instaled ftp server.
In A server installed Linux box and installed dns and iptables.
I have configured dns server, local domain named intranet

Code:

$TTL    604800
@       IN      SOA     intranet. root.intranet. (
                            41         ; Serial
                         604800        ; Refresh
                          86400        ; Retry
                        2419200        ; Expire
                         604800 )      ; Negative Cache TTL
;
@               IN      NS      intranet.
@               IN      A       10.10.0.10
site             IN      A       10.10.0.10

iptables
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.10.0.10 --dport 21 -j DNAT --to-destination 192.168.0.2
clients Primary DNS server 10.10.0.10

Question?
When clients type ftp site.intranet they are not redirecting to 192.168.0.2.
What's problem here and what am i missed?
Please help me.
Sorry for my bad english.

blackhole54 · 02-16-2008, 01:00 PM

Hi,

I am not familiar with running a DNS server and I was unable to access your picture. But since nobody else has responded to this thread I thought I might see if I could help you some anyway.

My first question is whether site.intranet resolves to 10.10.0.10. (I don't have the knowledge to interpret your DNS config file -- sorry.) If so, then if nothing else in your firewall is blocking it, an ftp request to that address should redirect. You can use the command

Code:

iptables -t nat -nvL PREROUTING

to check if anything is matching that rule. The first column will show you the number of packets that have matched, and therefore been redirected. That will take care of the first packet in a connection. However, for the rest of the connection to continue getting DNATted properly, I think you need to have loaded the module ip_conntrack_ftp:

Code:

modprobe ip_conntrack_ftp

I hope this gets you a little further

dedexes · 02-18-2008, 12:56 AM

thanks for reply.
i have added
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.1
now everything working.

blackhole54 · 02-18-2008, 11:01 PM

Quote:

Originally Posted by dedexes

i have added
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.1
now everything working.

That rule will make everything that gets forwarded look like it is coming from the forwarding box. That may or may not cause problems for you down the road. (For example, your FTP server won't be able to tell where a connection actually originates.) The fact that this SNAT rule gets things working increases my belief that loading ip_conntrack_ftp will allow things to work w/o the SNAT rule. (You also need to make sure that your FTP server shows 192.168.0.1 as the default route. Or at least the route for 10.10.0.0/24) Connection tracking ("conntrack") allows return packets to get properly routed back to their souce.