Iptables and DNS server trouble in LAN
Hi
My setup is a Cisco 806 router, serving up 5 static IPs in my home network. Behind this Cisco sits my Debian server which has IPTABLES on, and has a static IP on its own. Paralell to this I have my WLan router with yet another public IP. Behind that I have my laptop. [HTML] CISCO (.65) I I Switch ___________I____________ I I I I Server (.68) WLan (.67) I I Laptop (192.168.1.100) [/HTML]IP range (static) x.x.x.64/29 Cisco x.x.x.65 WLan x.x.x.67 Server x.x.x.68 WLan router serves up through DHCP x.x.x.68 as primary DNS server. When I flush (clear) IPtables, DNS resolves like a charm from behind the WLan router. This I need for short names for my networked devices, and also some name resolution for corporate VPN that I connect to. When my IPtables is applied, DNS is not working from behind the WLan. I can still telnet through port 53 towards the server from my laptop. This is my IPTABLES, if I missed something, please let me know. Thanks Ben Code:
# Generated by iptables-save v1.2.11 on Tue Mar 6 12:02:53 2007 |
Not a iptables expert by far but looks like you need a dnat rules setup. Check this post for a start.
Brian |
Hi Brian,
Like yourself, I am also not a big expert on IPTABLES yet unfortunately. I had a quick look at DNAT, and it seems DNAT is when you need an addres translated from your private IP to a public IP. The server is own a public (external static) IP, and the laptop is on a private IP behind a router which is on an other public IP. So If I need NAT, I think I need it on the router side, but I can still be wrong of course. When I disable the IPTABLES, all is working, so I dont think its on the WLAN side, but rather on the DNS server side with IPTABLES. If DNAT is in fact what I need, then I dont completely understand it. If someone has any thoughts, please share with me. Thanks Ben |
Hi
I have a temporary, but not desired fix. I applied the following rule to IPTABLES, to accept all traffic coming from my network (8 static IPs) Code:
-A INPUT -s x.x.x.64/255.255.255.248 -d x.x.x.68 -j ACCEPT Thanks Ben |
Make sure you have UDP port 53 open, not just TCP port 53. UDP is what is primarily used for DNS lookups.
|
Hi
Thanks, that was easy. Works like a charm. Port 53 poses any threats to hackers? I have this DNS server only serving internal requests, I suppose I should lock it to only source my network? Thanks Ben |
Quote:
|
Hi
I do have access to outside DNS servers, so I guess I am good blocking other access. Now that you are mentioning Outgoing access, I guess I am not blocking anything yet. What should I do about it? So far, as I can see, only incoming connections are blocked by my firewall rule. Code:
Chain INPUT (policy ACCEPT) Sorry for the beginner questions, this is the first time I have my Public IP range set up, and thus the server is on its own live IP, and not behind a 2nd router. Thanks Ben |
All times are GMT -5. The time now is 06:11 AM. |