[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]






 "http://www.w3.org/TR/html4/loose.dtd">

<li>date: Mon Feb 16 15:01:53 2004</li>
<li>from: jknapka at kneuro.net (Joe Knapka)</li>
<li>in-reply-to: <1076957690.26539.74.camel@ibb-250></li>
<li>references: <[email protected]> <1076957690.26539.74.camel@ibb-250></li>
<li>subject: [ale] DNS woes w/Devil Linux</li>

Thanks, Jonathan. [Putting this here because otherwise
it will get lost in the shell output below:-]

&gt; Long shot, but does Devil Linux use tcp_wrappers?  Have you checked
&gt; /etc/hosts.allow and /etc/hosts.deny?

It does not appear to use tcp_wrappers; /etc/hosts.allow et al do
not exist. It does run BIND in a chroot jail, but the hosts.*
are missing there as well.

&gt; Check your /etc/named.conf file for anything relating to allowed
&gt; clients.

named.conf is extremely minimal. It contains only:

options {
  listen-on { 192.168.81.14; 192.168.71.1; };
};

(the internal and wireless interfaces, respectively).
I'm really not sure how this configuration achieves
forward-only behavior; I seem to remember having to
do something rather more complicated when I was
setting BIND up manually on my previous router.
But it does seem to work, for queries from the internal
net.

&gt; Also, what does 'iptables -L -n' report?

Here goes. Incidentally, if I flush all the firewall rules
and change all the policies to ACCEPT, I *still* can't
get DNS to work on the wireless net. Strange, no?

eth0 is the cable modem, eth1 is internal wired LAN,
eth2 is wireless. Notes about what I think is supposed to
happen in #comments.

root at airwall:~ # iptables -L -v -n
Chain INPUT (policy DROP 3858 packets, 205K bytes)
 pkts bytes target     prot opt in     out     source     destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0  0.0.0.0/0           
  696 44722 ACCEPT     all  --  eth1   *       0.0.0.0/0  0.0.0.0/0           
  838  134K ACCEPT     all  --  *      *       0.0.0.0/0  0.0.0.0/0           state RELATED,ESTABLISHED 
   61  4584 ACCEPT     icmp --  *      *       0.0.0.0/0  0.0.0.0/0           
    0     0 REJECT     tcp  --  eth0   *       0.0.0.0/0  0.0.0.0/0           tcp dpt:113 reject-with tcp-reset 
# Here we should be allowing DNS reqs from wireless-land.
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0  0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  eth2   *       0.0.0.0/0  0.0.0.0/0           udp dpt:53 
  697  242K DROP       all  --  *      *       0.0.0.0/0  255.255.255.255     
    0     0 DROP       all  --  *      *       0.0.0.0/0  224.0.0.0/8         
  463 24951 LOG        all  --  *      *       0.0.0.0/0  0.0.0.0/0           limit: avg 3/min burst 3 LOG flags 0 level 4 prefix `INPUT policy: ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source     destination         
    0     0 ACCEPT     tcp  --  eth2   eth1    0.0.0.0/0  192.168.81.28       tcp dpt:9100 
    0     0 LOG        all  --  eth0   *       0.0.0.0/0  0.0.0.0/0           state INVALID,NEW LOG flags 0 level 4 prefix `FORWARD INVALID: ' 
    0     0 DROP       all  --  eth0   *       0.0.0.0/0  0.0.0.0/0           state INVALID,NEW 
 518K  466M ACCEPT     all  --  *      *       0.0.0.0/0  0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0  0.0.0.0/0           state NEW 
    1    92 LOG        all  --  eth2   eth1    0.0.0.0/0  0.0.0.0/0           LOG flags 0 level 4 prefix `DMZ-&gt;IN: ' 
    1    92 DROP       all  --  eth2   eth1    0.0.0.0/0  0.0.0.0/0           
20568  989K ACCEPT     all  --  eth2   *       0.0.0.0/0  0.0.0.0/0           state NEW 
    0     0 LOG        all  --  *      *       0.0.0.0/0  0.0.0.0/0           limit: avg 3/min burst 3 LOG flags 0 level 4 prefix `FORWARD policy: ' 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source     destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0  0.0.0.0/0           
  589  169K ACCEPT     all  --  *      eth1    0.0.0.0/0  0.0.0.0/0           
# Here we should be allowing DNS replies to hosts on the wireless side.
  412 70950 ACCEPT     all  --  *      eth2    0.0.0.0/0  0.0.0.0/0           
  899 64542 ACCEPT     all  --  *      *       0.0.0.0/0  0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0  0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0  0.0.0.0/0           limit: avg 3/min burst 3 LOG flags 0 level 4 prefix `OUTPUT policy: ' 
root at airwall:~ # iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 825 packets, 47391 bytes)
 pkts bytes target     prot opt in     out     source               destination         
# This seems to just kill off wayward Microsofties.
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:135 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:137:139 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
# Masq everything going to The World.
  575 27715 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 2 packets, 131 bytes)
 pkts bytes target     prot opt in     out     source               destination         
root at airwall:~ #

Cheers,

-- Joe Knapka

-- 
Barney comes to play with us whenever we may need him;
Someday we will hunt him down and chop him up and eat him!
   -- Annze, age 7
--
If you really want to get my attention, send mail to
jknapka .at. kneuro .dot. net.


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00546" href="msg00546.html">[ale] DNS woes w/Devil Linux</a></strong>
<ul><li><em>From:</em> jonathan.glass at ibb.gatech.edu (Jonathan Glass)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00541" href="msg00541.html">[ale] DNS woes w/Devil Linux</a></strong>
<ul><li><em>From:</em> jknapka at kneuro.net (Joe Knapka)</li></ul></li>
<li><strong><a name="00542" href="msg00542.html">[ale] DNS woes w/Devil Linux</a></strong>
<ul><li><em>From:</em> jonathan.glass at ibb.gatech.edu (Jonathan Glass)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00544.html">[ale] Any MySQL Experts around?</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00546.html">[ale] DNS woes w/Devil Linux</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00542.html">[ale] DNS woes w/Devil Linux</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00546.html">[ale] DNS woes w/Devil Linux</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00545"><strong>Date</strong></a></li>
<li><a href="threads.html#00545"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>

Prev by Date: [no subject]
Next by Date: [no subject]
Previous by thread: [no subject]
Next by thread: [no subject]
Index(es):
- Date
- Thread