[SLL] can ping IPs but not hostname(proxy ARP server with NAT mode)
qwerty
qwerty at seed.net.tw
Wed May 18 00:49:29 PDT 2005
Hi Lists,
I was running out all of my brain. So please give me some light.
I have already getting this script running on another server as a
firewall/NAT server and it works well.
But by now it was having trouble with NAT to go out to Internet. For
example, I can ping to whatever IPs but any domain name will response
nothing. The main difference is that this server is running as a proxy
ARP server. So eth0 and eth1 have the same IP(1.1.1.1) and
eth2(10.10.10.1) is provided NAT for subnet 10.10.10.0/24.
OK, I have this policy:(iptables -P FORWARD ACCEPT) to accept anything
and it looks good. So it makes me think that I have to include some rule
to accept the response from DNS query if FORWARD chain is set to DROP.
And it is possible that the response gets lost in between my proxy ARP
server and DNS server. Any idea?
iptables script
-------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
iptables -A FORWARD -p all -s 10.10.10.30 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j SNAT
--to-source 1.1.1.1
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
More information about the linux-list
mailing list