From: Chad M. <ch...@th...> - 2002-06-23 01:45:25
|
I'm trying to get my DL installation running properly, and I seem to be very close, but I don't seem to be getting the DNS goodies to my internal network. Here's the setup: ISP -> DL -> 192.168.0.0 network DL gets its IP over DHCP from the ISP. This seems to work fine. My internal network is all static IPs. I can ping the DL internal interface from a computer on the internal network with no problem. The problem is that the computers on the host aren't getting their DNS requests forwarded on to the ISP's DNS servers, I think. For example, http://64.12.151.215/ comes up in a browser, but www.netscape.com doesn't. Curiously, pinging that IP address results in 100% packet loss. Do I need to set up a DNS server on DL? I'd think not, since the Netgear RT311 I'm currently using as a router doesn't do that, AFAIK. In case it's useful, I've appended my firewall script below, generated from fwbuilder. Note that I had to comment out the ip -f commands about halfway through, since DL doesn't have the ip command. Thanks for all the help, Chad Martin #!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_iptables v1.0.2 # # Generated Sat Jun 22 19:25:50 2002 EST by chad # # # # if [ -x /usr/bin/logger ]; then logger -p info "Activating firewall script Devil.fw generated Sat Jun 22 19:25:50 2002 EST by chad" fi MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" MODULES="ip_conntrack ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc ip_nat_irc" for module in $(echo $MODULES); do if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then modprobe -k ${module} || exit 1 fi done FWD=`cat /proc/sys/net/ipv4/ip_forward` echo "0" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do iptables -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then iptables -t $table -F $chain fi done iptables -t $table -X done #ip -f inet addr flush dev eth1 scope link #ip -f inet addr flush dev l0 scope link iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # NAT Rule #0 # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/255.255.255.0 -d 0/0 -j MASQUERADE # # Interface Rule #0 # # Anti-spoofing rule # iptables -N IRULE_0_eth0 iptables -A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -j IRULE_0_eth0 iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.255.0 -j IRULE_0_eth0 iptables -A INPUT -i eth0 -s 192.168.0.1 -j IRULE_0_eth0 iptables -A FORWARD -i eth0 -s 192.168.0.1 -j IRULE_0_eth0 iptables -A IRULE_0_eth0 -j LOG --log-level 6 --log-prefix "RULE 0 -- Deny " iptables -A IRULE_0_eth0 -j DROP # # Interface Rule #1 # # Anti-spoofing rule # iptables -N F_IRULE_1_eth0 iptables -A FORWARD -o eth0 -j F_IRULE_1_eth0 iptables -A F_IRULE_1_eth0 -o eth0 -s 192.168.0.0/255.255.255.0 -j RETURN iptables -N O_IRULE_1_eth0 iptables -A OUTPUT -o eth0 -j O_IRULE_1_eth0 iptables -A O_IRULE_1_eth0 -o eth0 -j RETURN iptables -N IRULE_1_eth0 iptables -A F_IRULE_1_eth0 -o eth0 -j IRULE_1_eth0 iptables -A O_IRULE_1_eth0 -o eth0 -j IRULE_1_eth0 iptables -A IRULE_1_eth0 -j LOG --log-level 6 --log-prefix "RULE 1 -- Deny " iptables -A IRULE_1_eth0 -j DROP # # Interface Rule #0 # # allow everything on loopback # iptables -N IRULE_0_l0 iptables -A INPUT -i l0 -j IRULE_0_l0 iptables -A FORWARD -i l0 -j IRULE_0_l0 iptables -A OUTPUT -o l0 -j IRULE_0_l0 iptables -A FORWARD -o l0 -j IRULE_0_l0 iptables -A IRULE_0_l0 -j ACCEPT # # Rule #0 # # block fragments # iptables -N RULE_0 iptables -A OUTPUT -j RULE_0 -f iptables -A INPUT -j RULE_0 -f iptables -A FORWARD -j RULE_0 -f iptables -A RULE_0 -j LOG --log-level 6 --log-prefix "RULE 0 -- Deny " iptables -A RULE_0 -j DROP # # Rule #1 # # 'masquerading' rule # iptables -N RULE_1 iptables -A INPUT -m state --state NEW -s 192.168.0.0/255.255.255.0 -j RULE_1 iptables -A FORWARD -m state --state NEW -s 192.168.0.0/255.255.255.0 -j RULE_1 iptables -A RULE_1 -j ACCEPT # # Final rules # iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP iptables -A FORWARD -j DROP echo "1" > /proc/sys/net/ipv4/ip_forward |
From: Chad M. <ch...@th...> - 2002-06-23 04:25:45
|
Chad Martin wrote: > I'm trying to get my DL installation running properly, and I seem to be > very close, but I don't seem to be getting the DNS goodies to my > internal network. After some poking around, I found a IP masq howto on www.tldp.org that claimed that I *needed* to give my ISPs DNS servers to my local host machines. I know that my RT311 didn't need that, and that I could configure it as the DNS server on my host machines. I suppose that would mean that it ran an internal DNS server, would it not? Good news is that this email will very shortly be sent through my fully functional DL box to you guys. Woot! Chad |
From: Heiko Z. <he...@zu...> - 2002-06-23 18:00:24
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You have 2 options: 1) Use masquerading (I think you will anyway) and setup the computers in your LAN to use the ISPs DNS Servers (not really good) 2) Setup a DNS Cache. You can either use the DNSCACHE package from D.J. Bernstein (doku: http://cr.yp.to ) or you use BIND. Both programs are available on DL. Heiko -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6-2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj0WC7oACgkQzRJAyNsjWPkASACfaSWlMxvCcOu3Gt65LMXOOFkC s2AAn2DXeYTjjqKgyURVd7UvscjMZ/GW =vm5a -----END PGP SIGNATURE----- |
From: Chad M. <ch...@th...> - 2002-06-23 20:52:41
|
Heiko Zuerker wrote: > | Problem: When loading the firewall during the DL bootup, DL gives > | the following error: ip: command not found (or whatever). I > | don't know enough about shell scripts to determine whether the > | script would exit at that error or not. > > You need to install the package "IPROUTE2". and > You have 2 options: > > 1) Use masquerading (I think you will anyway) and setup the computers in > your LAN to use the ISPs DNS Servers (not really good) > > 2) Setup a DNS Cache. You can either use the DNSCACHE package from D.J. > Bernstein (doku: http://cr.yp.to ) or you use BIND. Both programs are > available on DL. Heiko, you are the man with all the answers! Dizamn. I'll probably give this stuff a shot next weekend or something. Right now everything is working just fine, so I can afford to put off the tweaking. Right now I'm running under option 1 for the DNS issue. I'm not sure why you label it as "not really good," but it seems to work. I'll probably set up a DNS cache later. The only issue is that either DNSCACHE or BIND seem to be fairly memory intensive when the amount of DNS info increases, and I'm running DL on a Pentium 75 with 80 MB of RAM. Without lugging my monitor over to my DL box, could you tell me if there's a program in DL to check to see how much memory is free so I know how much I can commit to a DNS cache? Thanks again, Chad |
From: Heiko Z. <he...@zu...> - 2002-06-23 21:20:43
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chad Martin wrote: | Without lugging my monitor over to my DL box, could you tell me if | there's a program in DL to check to see how much memory is free so I | know how much I can commit to a DNS cache? "free" is what you're looking for. Heiko -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6-2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj0WOPAACgkQzRJAyNsjWPnE0wCfeYF2x+gRxBJol02eRRzNpvy3 QEcAoIfs+mlJ4XFjAVKoLEwY87fl4OMz =PWWT -----END PGP SIGNATURE----- |
From: Chad M. <ch...@th...> - 2002-06-30 11:19:21
|
Heiko Zuerker wrote: > You have 2 options: > > 1) Use masquerading (I think you will anyway) and setup the computers in > your LAN to use the ISPs DNS Servers (not really good) Well, this works. Why is it not really good? > 2) Setup a DNS Cache. You can either use the DNSCACHE package from D.J. > Bernstein (doku: http://cr.yp.to ) or you use BIND. Both programs are > available on DL. I gave this a shot. Here's what I found out. Please let me know if I should take this to a different forum, or ask Mr. Bernstein himself about these issues. First, I configured DL to install DAEMONTOOLS and DJBDNS on boot, since the documentation for dnscache claims that it requires/wants svscan to run it. That all worked out great. I ran: dnscache-conf root root /etc/dnscachex 192.168.0.1 to set up the cache. This means that root will run dnscache, and that root will own the logs. Also, 192.168.0.1 is the DL server's LAN side address. Since I didn't want to go through the pain of adding new users to my DL installation just to run this service, I set both of the users to root. This configuration script seemed to do what it should have. I ran: ln -s /etc/dnscachex /service to "tell" svscan about the new dnscache service, and I ran: touch /etc/dnscachex/root/ip/192.168.0 to tell dnscache to accept external cache requests from that network. I verified that the above commands did what I thought they should. Now all that should have remained was to start svscan, and make sure it would start on reboot, right? When I start svscan by hand, it runs without error, AFAIK, however it doesn't start dnscache, according to the process list using "ps ax". Also, my local clients can't use my DL installation for a DNS server. The only clues the docs give is to make sure that supervise is in svscan's path. Using which, I verified that supervise, dnscache, dnscache-conf and svscan were all in root's path, and root should be running all of this, right? I also made an attempt to start svscan from the rc3.d directory. First I tried symlinking S13svscan directly to /usr/sbin/svscan, but that didn't work. I then tried to copy /etc/init.d/firewall to /etc/init.d/svscan and edit the body of the one if statement to run /usr/sbin/svscan, but that threw up a bunch of errors about files not found that should obviously be there. What I wouldn't give for a simple rc.local file in DL. If anybody could shed some light on all of this, I'd appreciate it. I don't need to run a dnscache, but it would be a neat feature. TIA, Chad Martin |