Hi Pradeeper,looks like you forgot to allow DNS for incomming. On some mashines this is necassary. My own firewall handles DNS like this:
for ip in $DNSSERVER ; do$IPTABLES -A INPUT -p tcp -i $EXT_DEV -d $EXT_IP -s $ip --sport 53:53 $STATEEST -j ACCEPT $IPTABLES -A INPUT -p udp -i $EXT_DEV -d $EXT_IP -s $ip --sport 53:53 $STATEEST -j ACCEPT $IPTABLES -A OUTPUT -p tcp -o $EXT_DEV -s $EXT_IP -d $ip --dport 53:53 -j ACCEPT $IPTABLES -A OUTPUT -p udp -o $EXT_DEV -s $EXT_IP -d $ip --dport 53:53 -j ACCEPT
done All connections from behind the firewall which require DNS were NATed. Hope this would help you. Michael. Pradeeper wrote:
Hi All I can't subscribe to Debian fire wall mailing list (NO mail from list.debian.org server)., so please Cc: to pradeeper@unionb.com when you reply. I'm implementing a Debian (Sarge) firewall with iptables.It's exactly as., http://iptables-tutorial.frozentux.net/iptables-tutorial.html#RCDMZFIREWALLTXTAnd I'm using the script they provide here., http://iptables-tutorial.frozentux.net/scripts/rc.DMZ.firewall.txt I can resolve local dns entries without any problem but problem with out side domain. When I try to nslookup or dig some domain (say yahoo.com or debian.org), it says "server time out" or "couldn't find the server". My primary DNS server is in this DNZ zone and uncomment the line query_source address * port 53; from /etc/bind/named.conf as well. What could be the problem? Thanks! Pradeeper -- Debian GNU/Linux Sarge kernel 2.4.22-openmosix-1 Q: Why don't lawyers go to the beach? A: The cats keep trying to bury them.
-- Michael Tschach Büromat IT Systeme GmbH Softwareentwicklung Newtonstrasse 12 Tel: +49 375 8109 0 08060 Zwickau Fax: +49 375 8109 256
Attachment:
signature.asc
Description: OpenPGP digital signature