Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
194.167.x.x is the DNS server IP@
my gw is addressed 192.168.3.245.
So, PCs on my LAN can reach the net without any pbls.
But when I want, from a PC of my LAN, run nslookup, I get the following msg :
DNS request timed out.
timeout was 2 seconds.
*** Impossible de trouver le nom de serveur pour l'adresse 192.168.3.245 : Timed out
--> Impossible to find the name server with IP 192.168.3.245 : Timed out
*** Les serveurs par défaut ne sont pas disponibles
--> default servers are not available
Serveur par dÚfaut (default server) : UnKnown
Address: 192.168.3.245
as i see the trobule is your your network structure.
the followings can be a solution.
1 - u can install named(bind) on gw, so u can forward DNS queries to your real nameserver.
search "forward" word in man page.
man named.conf
2 - ip of gw must be set as DNS ip of clients.
it is possbile to forward DNS queries trou iptables. but im confused with your network. if u explained about your subnet masks, i would be able to suggest something.
Hi Maxut,
The pb is that I don't want to install a DNS server for may LAN. I think that etc/hosts is enough, PCs on the LAN can recognise each other via this file, don't you think?
the gw interface on the LAN is 192.168.3.245/24 (on eth0), and eth1 is 194.167.x.x/24
My LAN (private @)---My gw----An other LAN (public @) with DNS and proxy servers------router----------Internet
192.168.3.x/24-----eth0--eth1-----------194.167.x.x/24-------------------------------------194.167.x.x/24---Net
What I do know is forwarding DNS request from my private LAN, to the DNS server on the public LAN.
It works for surfing on the net.
But nslookup command isn't OK. I believed that port 43 was using for nslookup, but it seems it isn't true.
So as u can see, ip client are set as ip of gw(eth0) and ip of gw(eth1) is set as ip of DNS server.
1) Your LAN clients have a DNS server IP of 192.168.3.1. Why? I see nothing in your discussion that says what 192.168.3.1 actually is, but I do see where the clients are trying to query 192.168.3.245 for DNS. Is this a typo, or ... what?
2) The iptables rules to forward DNS requests are a) incorrect and b) unnecessary. Remove them.
3) Assuming you're masochistic and just want to have those DNAT rules in your firewall script, you have to have a SNAT to tell the packets how to get back. Here's what I mean .... When a packet reaches .245, it's DNAT'd to your DMZ DNS servers right? Right. But the problem is, the DNS servers are in the public address space. Now what happens is, this packet shows up at the DNS server's interface with the DNS server's IP as the destination addy. It accepts the packet and then tries to send the response. Since you didn't do a SNAT though, the source IP is still 192.168.3.xxx, which to hosts in the public address space, promptly goes into the bit bucket.
4) Maxut's suggestions would solve your problem, but are unnecessary given that the simplest solution will take about 30 seconds.
5) /etc/hosts is fine for about two machines. Anything more than that and it starts sucking fast
6) Port 43 is whois, not DNS
now then. Assuming you're doing the typical iptables thing and masqing the whole internal C block, the solution to your problem is as simple as setting the innternal clients DNS IP to be the 194.167.x.x DNS server's IP. The gateway will NAT the connection for you just like it does web requests and all will be right in your world.
All apologizes, I'm not clear in my explanations...
My current gw is 192.168.3.1, and I will soon replace it by a new, which is currently in 192.168.3.245 but will be 192.168.3.1 in 2 weeks.
I'm the network administrator of the lan (192.168.3.X) and the gw, that's all.The rest of the network isn't mine.
The 194.167.X.X DNS isn't managed by myself, so every time I will have a new PC on my network I will have to inform the DNS administrator. SO, I think, from all of your explanations, that the easiest way is to install bind on the new gw...
But have I to install NAT? (even if second gw have a static route entry for my LAN)
Do these rules are sufficient ? :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -s 192.168.3.0/24 -j ACCEPT
iptables -A FORWARD -m state -s 192.168.3.0/24 --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j REJECT
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
