[SLL] can ping IPs but not hostname(proxy ARP server with NAT
mode)
Douglas Kirkland
douglas at slugstone.net
Wed May 18 06:28:40 PDT 2005
Your firewall is working fine. Check your DNS server. The box your
pinging from has no DNS working.
Douglas
qwerty wrote:
> Hi Lists,
>
> I was running out all of my brain. So please give me some light.
> I have already getting this script running on another server as a
> firewall/NAT server and it works well.
>
> But by now it was having trouble with NAT to go out to Internet. For
> example, I can ping to whatever IPs but any domain name will response
> nothing. The main difference is that this server is running as a proxy
> ARP server. So eth0 and eth1 have the same IP(1.1.1.1) and
> eth2(10.10.10.1) is provided NAT for subnet 10.10.10.0/24.
>
> OK, I have this policy:(iptables -P FORWARD ACCEPT) to accept anything
> and it looks good. So it makes me think that I have to include some rule
> to accept the response from DNS query if FORWARD chain is set to DROP.
> And it is possible that the response gets lost in between my proxy ARP
> server and DNS server. Any idea?
>
>
> iptables script
> -------------------------------------------------------
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
>
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
>
> iptables -A FORWARD -p all -s 10.10.10.30 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j SNAT
> --to-source 1.1.1.1
>
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>
>
More information about the linux-list
mailing list