Shorewall users - Aug 2002 - Trouble with DNS public server in DMZ

Hello,

I just started shorewall on my fw yesterday afternoon. My network is a three-arm
system.

All boxes run Suse 8.0. My fw is connected through the ADSL modem (10.0.0.138)
through eth0 (10.0.0.1/255.0.0.0).

My DMZ is 192.168.2.0/255.255.255.0. My local private net is
192.168.1.0/255.255.255.0. I am using Shorewall 1.3.7a.

DMZ is intended to host HTTP, HTTPS, Zope (:8080), POP, SMTPS, and DNS services.

I took the three-interfaces sample as a template and began sutomising it for my
purpose. The main thing was to change net zone deom eth0 to ppp0 as I use
rp-pppoe.

I added the possibility for all hosts to be HTTP and FTP clients of outside
world servers (Yast Online update needs that).

I also set up the HTTP, DNS and SSH services from loc and fw to DMZ, and SSH
from net to fw, and from fw to both dmz and local (should remote maintenance be
needed). So far so good.

Now I am trying to use the DNS in my dmz as a cache and definition server for
several domains (the slave DNS server being at these domains registrar).

I added in rules : 

#
# Autoriser les requêtes DNS sur le serveur en DMZ
#
DNAT    net     dmz:192.168.2.4 tcp     53
DNAT    net     dmz:192.168.2.4 udp     53
But it looks like the slave dns cannot query my DMZ DNS server.

Q: Does DNAT directive include an implicit ACCEPT or not ?

(i.e. should I add ACCEPT net dmz [tcp udp] 53 prior to DNAT line ?)

Regards
JMM

On Sunday 25 August 2002 08:38 am, j6m@adm.estp.fr
wrote:
> Hello,
>
> I just started shorewall on my fw yesterday afternoon. My network is a
> three-arm system.
>
> All boxes run Suse 8.0. My fw is connected through the ADSL modem
> (10.0.0.138) through eth0 (10.0.0.1/255.0.0.0).
>
> My DMZ is 192.168.2.0/255.255.255.0. My local private net is
> 192.168.1.0/255.255.255.0. I am using Shorewall 1.3.7a.
>
> DMZ is intended to host HTTP, HTTPS, Zope (:8080), POP, SMTPS, and DNS
> services.
>
> I took the three-interfaces sample as a template and began sutomising it
> for my purpose. The main thing was to change net zone deom eth0 to ppp0 as
> I use rp-pppoe.
>
> I added the possibility for all hosts to be HTTP and FTP clients of outside
> world servers (Yast Online update needs that).
>
> I also set up the HTTP, DNS and SSH services from loc and fw to DMZ, and
> SSH from net to fw, and from fw to both dmz and local (should remote
> maintenance be needed). So far so good.
>
> Now I am trying to use the DNS in my dmz as a cache and definition server
> for several domains (the slave DNS server being at these domains
> registrar).
>
> I added in rules :
>
> #
> # Autoriser les requêtes DNS sur le serveur en DMZ
> #
> DNAT    net     dmz:192.168.2.4 tcp     53
> DNAT    net     dmz:192.168.2.4 udp     53
>
> But it looks like the slave dns cannot query my DMZ DNS server.
>
> Q: Does DNAT directive include an implicit ACCEPT or not ?
Yes. The above rules are all that you need to forward and accept dns requests 
to 192.168.2.4. Does "shorewall show nat" show DNS requests reaching
your
firewall from the net?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net