FC3 problem with ip_forward / masquerade : no more DNS resolution

[Pierre-Yves Berger]

On 11 nov. 04, at 18:27, Alexander Dalloz wrote:

> Am Do, den 11.11.2004 schrieb Pierre-Yves Berger um 18:14:
>
>> I just installed FC3 on a system I use as nat.
>> eth0 gets a dynamic address from my ISP.
>> eth1 has a static local address.
>>
>> I did the configuration as described in the NAT-HOWTO document
>> at www.netfilter.org.
>>
>> Now, from the computers on my local network, I cannot access Internet
>> using the names. I can access everything with ip numeric addresses.
>>  From the nat computer, I can access everything (names and numeric
>> addresses).
>
> This problem description normally says that the NATed hosts have no
> valid nameserver knowledge.
>
>> The computers on the local network have correct DNS entries and worked
>> correctly before I swapped my old (hardware) unstable FC2 box with a
>> newer FC3 box.
>
> To where do the DNS entries on the NATed clients point?
>
>> Pierre-Yves
>
> Alexander

resolv.conf contains the following entries :
nameserver 80.83.47.10
nameserver 80.83.47.157

These are correct for my ISP.
I can ping them from my NATed client but nslookup or dig could not 
connect.

Then, I tried to log rejected packets in iptables on the NAT system and 
got those in
/var/log/messages

Nov 11 21:30:29 gate kernel: IN=eth1 OUT=eth0 SRC=x.x.x.x 
DST=80.83.47.157 \
LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=37097 PROTO=UDP SPT=2027 \
DPT=53 LEN=38
Nov 11 21:30:29 gate kernel: IN=eth1 OUT=eth0 SRC=x.x.x.x 
DST=80.83.47.10 \
LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=37100 PROTO=UDP SPT=2030 \
DPT=53 LEN=38
with x.x.x.x being my NATed client address.

So, I added a rule in iptables that says

-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

at the beginning of the RH-Firewall-1-INPUT chain and I have again 
access to the world :-)

Is there a better way to do this ?

I may add that this is my home network with 2 Macs and a Linux system 
and users are not
a security risk, at least not deliberately.

Pierre-Yves