From: Chad M. <ch...@th...> - 2002-06-23 01:45:25
|
I'm trying to get my DL installation running properly, and I seem to be very close, but I don't seem to be getting the DNS goodies to my internal network. Here's the setup: ISP -> DL -> 192.168.0.0 network DL gets its IP over DHCP from the ISP. This seems to work fine. My internal network is all static IPs. I can ping the DL internal interface from a computer on the internal network with no problem. The problem is that the computers on the host aren't getting their DNS requests forwarded on to the ISP's DNS servers, I think. For example, http://64.12.151.215/ comes up in a browser, but www.netscape.com doesn't. Curiously, pinging that IP address results in 100% packet loss. Do I need to set up a DNS server on DL? I'd think not, since the Netgear RT311 I'm currently using as a router doesn't do that, AFAIK. In case it's useful, I've appended my firewall script below, generated from fwbuilder. Note that I had to comment out the ip -f commands about halfway through, since DL doesn't have the ip command. Thanks for all the help, Chad Martin #!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_iptables v1.0.2 # # Generated Sat Jun 22 19:25:50 2002 EST by chad # # # # if [ -x /usr/bin/logger ]; then logger -p info "Activating firewall script Devil.fw generated Sat Jun 22 19:25:50 2002 EST by chad" fi MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" MODULES="ip_conntrack ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc ip_nat_irc" for module in $(echo $MODULES); do if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then modprobe -k ${module} || exit 1 fi done FWD=`cat /proc/sys/net/ipv4/ip_forward` echo "0" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do iptables -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then iptables -t $table -F $chain fi done iptables -t $table -X done #ip -f inet addr flush dev eth1 scope link #ip -f inet addr flush dev l0 scope link iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # NAT Rule #0 # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/255.255.255.0 -d 0/0 -j MASQUERADE # # Interface Rule #0 # # Anti-spoofing rule # iptables -N IRULE_0_eth0 iptables -A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -j IRULE_0_eth0 iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.255.0 -j IRULE_0_eth0 iptables -A INPUT -i eth0 -s 192.168.0.1 -j IRULE_0_eth0 iptables -A FORWARD -i eth0 -s 192.168.0.1 -j IRULE_0_eth0 iptables -A IRULE_0_eth0 -j LOG --log-level 6 --log-prefix "RULE 0 -- Deny " iptables -A IRULE_0_eth0 -j DROP # # Interface Rule #1 # # Anti-spoofing rule # iptables -N F_IRULE_1_eth0 iptables -A FORWARD -o eth0 -j F_IRULE_1_eth0 iptables -A F_IRULE_1_eth0 -o eth0 -s 192.168.0.0/255.255.255.0 -j RETURN iptables -N O_IRULE_1_eth0 iptables -A OUTPUT -o eth0 -j O_IRULE_1_eth0 iptables -A O_IRULE_1_eth0 -o eth0 -j RETURN iptables -N IRULE_1_eth0 iptables -A F_IRULE_1_eth0 -o eth0 -j IRULE_1_eth0 iptables -A O_IRULE_1_eth0 -o eth0 -j IRULE_1_eth0 iptables -A IRULE_1_eth0 -j LOG --log-level 6 --log-prefix "RULE 1 -- Deny " iptables -A IRULE_1_eth0 -j DROP # # Interface Rule #0 # # allow everything on loopback # iptables -N IRULE_0_l0 iptables -A INPUT -i l0 -j IRULE_0_l0 iptables -A FORWARD -i l0 -j IRULE_0_l0 iptables -A OUTPUT -o l0 -j IRULE_0_l0 iptables -A FORWARD -o l0 -j IRULE_0_l0 iptables -A IRULE_0_l0 -j ACCEPT # # Rule #0 # # block fragments # iptables -N RULE_0 iptables -A OUTPUT -j RULE_0 -f iptables -A INPUT -j RULE_0 -f iptables -A FORWARD -j RULE_0 -f iptables -A RULE_0 -j LOG --log-level 6 --log-prefix "RULE 0 -- Deny " iptables -A RULE_0 -j DROP # # Rule #1 # # 'masquerading' rule # iptables -N RULE_1 iptables -A INPUT -m state --state NEW -s 192.168.0.0/255.255.255.0 -j RULE_1 iptables -A FORWARD -m state --state NEW -s 192.168.0.0/255.255.255.0 -j RULE_1 iptables -A RULE_1 -j ACCEPT # # Final rules # iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP iptables -A FORWARD -j DROP echo "1" > /proc/sys/net/ipv4/ip_forward |