iptables and named

Chadley Wilson chadley at pinteq.co.za
Sat Feb 12 11:51:21 UTC 2005


Hi Guys

I have a bit of a tricky config maybe some one can shed some light here:

my network is as follows:

internet >>> internal network >> mynetwork
x.x.x.x >>>> 196.25.100.0 >> 192.168.2.0

I have a top level dns server running for internal name resolution on the 
192.168.2.0 network, it does not access the www.

There is one PC (192.168.2.5)  which routes through the server (which has to 
interfaces in it 192.168.2.1 bond0 to 196.25.100.151 eth0)  to 196.25.100.28 
gatway machine to the internet. I have set its resolve.conf to 196.25.100.28 
and allowed it to masquerade in iptables.
 
like this:

*nat
:PREROUTING ACCEPT
-A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
-A PREROUTING -i ppp0 -j ACCEPT


:POSTROUTING ACCEPT
-A POSTROUTING  -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -o eth0 -s 192.168.2.5 -j MASQUERADE

COMMIT


*filter
:INPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i bond0 -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -m icmp -p icmp -j ACCEPT
-A INPUT -i bond0 -m udp -p udp -j ACCEPT
-A INPUT -i ppp0 -m tcp -p tcp -j ACCEPT


:FORWARD ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT





:OUTPUT ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT

I have deliberatly left icmp available on the bond0 side for ping testing.

The rest of the PCs on 192.168.2.0 are firewalled off from the 196.25.100.0 
network and the internet.

The problem is that my named service is resolving to the net. How do I stop 
it ?




-- 
--
Chadley Wilson
Redhat Certified Technician
Cert Number: 603004708291270
Pinnacle Micro
Manufacturers of Proline Computers
Proudly South African
ISO9001:2000 Certified Production Line
=======================================
LINUX - becuase I can do it my way.
========================================




More information about the fedora-list mailing list