I use the version 1.4.6c. Here is my config: Eth0 (net): master address xxx.255.85.142 and virtual adresses xxx.255.85.130 and xxx.255.85.131. Eth1 (masq): adress 10.0.90.1 ( 255.255.0.0). I''ve got a Bind servers with exactly the same config at 10.0.100.1 and 10.0.100.2. I use this rules : ############### NS1 ############################################################ DNAT net masq:10.0.100.1:10000 tcp 10130 - DNAT net masq:10.0.100.1 tcp 53 - xxx.255.85.130 DNAT net masq:10.0.100.1 udp 53 - xxx.255.85.130 ############### NS2 ############################################################ DNAT net masq:10.0.100.2:10000 tcp 10131 - DNAT net masq:10.0.100.1 tcp 53,953 - xxx.255.85.131 DNAT net masq:10.0.100.1 udp 53,953 - xxx.255.85.131########################################################## ###################### ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,10000 - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,10000 - ACCEPT fw masq tcp 631,515,137,138,139 - ACCEPT fw masq udp 631,515,137,138,139 - # Dns ACCEPT fw masq tcp 53 - ACCEPT fw masq udp 53 - # Ping ACCEPT fw masq icmp 8 - # Ping ACCEPT masq fw icmp 8 - # Webmin ACCEPT masq fw tcp 10000 - ################ Net vers Routeur ############################################## # Webmin ACCEPT net fw tcp 10000,53 - # Accepte tous les ping ACCEPT net fw icmp 8 - ACCEPT net masq icmp 8 - When i use nslookup on NS1 all works fine. But with NS2, i''ve got request time out and so, bind never resolve name. Is it because i use dnat 2 times with the same port to redirect to two different adresses ? What must i do to resolve this trouble. Thank''s Franck
Isn''t is just a typing error? You wrote: ############### NS2 ############################################################ DNAT net masq:10.0.100.2:10000 tcp 10131 - DNAT net masq:10.0.100.1 tcp 53,953 - xxx.255.85.131 DNAT net masq:10.0.100.1 udp 53,953 - I guess you mean: ############### NS2 ############################################################ DNAT net masq:10.0.100.2:10000 tcp 10131 - DNAT net masq:10.0.100.2 tcp 53,953 - xxx.255.85.131 DNAT net masq:10.0.100.2 udp 53 - xxx.255.85.131 Best regards, Niels Kristian Jensen Denmark
On Friday 06 February 2004 07:02 am, Franck BAREL wrote:> I use the version 1.4.6c. > Here is my config: > > Eth0 (net): master address xxx.255.85.142 and virtual adresses > xxx.255.85.130 and xxx.255.85.131. > Eth1 (masq): adress 10.0.90.1 ( 255.255.0.0). > > I''ve got a Bind servers with exactly the same config at 10.0.100.1 and > 10.0.100.2.They can''t be EXCATLY the same or I suspect that one of them is going to be very confused. Is it the server that is NOT named in the SOA records that is having the problems? Disclaimer: IANADNSE. (I am not a DNS expert)> > I use this rules : > > ############### NS1 > ############################################################ > DNAT net masq:10.0.100.1:10000 tcp 10130 - > DNAT net masq:10.0.100.1 tcp 53 - xxx.255.85.130 > DNAT net masq:10.0.100.1 udp 53 - xxx.255.85.130 > ############### NS2 > ############################################################ > DNAT net masq:10.0.100.2:10000 tcp 10131 - > DNAT net masq:10.0.100.1 tcp 53,953 - xxx.255.85.131 > DNAT net masq:10.0.100.1 udp 53,953 - > xxx.255.85.131########################################################## > ###################### > ACCEPT masq fw tcp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,10000 - > ACCEPT masq fw udp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,10000 - > ACCEPT fw masq tcp 631,515,137,138,139 - > ACCEPT fw masq udp 631,515,137,138,139 - > # Dns > ACCEPT fw masq tcp 53 - > ACCEPT fw masq udp 53 - > # Ping > ACCEPT fw masq icmp 8 - > # Ping > ACCEPT masq fw icmp 8 - > # Webmin > ACCEPT masq fw tcp 10000 - > ################ Net vers Routeur > ############################################## > # Webmin > ACCEPT net fw tcp 10000,53 - > # Accepte tous les ping > ACCEPT net fw icmp 8 - > ACCEPT net masq icmp 8 - > > When i use nslookup on NS1 all works fine. But with NS2, i''ve got > request time out and so, bind never resolve name. > Is it because i use dnat 2 times with the same port to redirect to two > different adresses ? > What must i do to resolve this trouble.a) Troubleshoot it like you would any other port forwarding problem (see Shorewall FAQs 1a and 1b). b) Check your logs to see what kind of messages the DNS server itself is generating. c) Check your Shorewall logs to see if the second server is trying to send requests to the first one using its external IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Isn''t is just a typing-error? You write:> ############### NS2 > ############################################################ > DNAT net masq:10.0.100.2:10000 tcp 10131 - > DNAT net masq:10.0.100.1 tcp 53,953 - xxx.255.85.131 > DNAT net masq:10.0.100.1 udp 53,953 - > xxx.255.85.131##########################################################That will send all trafic to the same server regardless of the external IP is xxx.255.85.130 or xxx.255.85.131, right? I guess you mean:> ############### NS2 > ############################################################ > DNAT net masq:10.0.100.2:10000 tcp 10131 - > DNAT net masq:10.0.100.2 tcp 53,953 - xxx.255.85.131 > DNAT net masq:10.0.100.2 udp 53,953 - xxx.255.85.131 > xxx.255.85.131##########################################################Notice that I''ve changed the "To" field. By the way, check you documentation about secondary name-servers. You can set up NS2 such that it will copy everything from NS1 automatically when you make a change in NS1. Best regards, Niels Kristian Jensen Denmark -- http://spejder.dk http://seniorsite.dk http://dds.dk No E-mail marketing, please. Ingen E-reklamer, tak.
On Friday 06 February 2004 07:43 am, Tom Eastep wrote:> On Friday 06 February 2004 07:02 am, Franck BAREL wrote: > > I use the version 1.4.6c. > > Here is my config: > > > > Eth0 (net): master address xxx.255.85.142 and virtual adresses > > xxx.255.85.130 and xxx.255.85.131. > > Eth1 (masq): adress 10.0.90.1 ( 255.255.0.0). > > > > I''ve got a Bind servers with exactly the same config at 10.0.100.1 and > > 10.0.100.2. > > They can''t be EXCATLY the same or I suspect that one of them is going to be > very confused. Is it the server that is NOT named in the SOA records that > is having the problems? > > Disclaimer: IANADNSE. (I am not a DNS expert) > > > I use this rules : > > > > ############### NS1 > > ############################################################ > > DNAT net masq:10.0.100.1:10000 tcp 10130 - > > DNAT net masq:10.0.100.1 tcp 53 - xxx.255.85.130 > > DNAT net masq:10.0.100.1 udp 53 - xxx.255.85.130 > > ############### NS2 > > ############################################################ > > DNAT net masq:10.0.100.2:10000 tcp 10131 - > > DNAT net masq:10.0.100.1 tcp 53,953 - xxx.255.85.131 > > DNAT net masq:10.0.100.1 udp 53,953 - > > xxx.255.85.131########################################################## > > ######################Wait a minute -- Those rules forward to the SAME internal system (10.0.100.1). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello, Yes it''s was an error. I change the rules but it''s always the same result. Thank''s for your help. Franck -----Message d''origine----- De : nkjbox@internetgruppen.dk [mailto:nkjbox@internetgruppen.dk] Envoyé : vendredi 6 février 2004 16:31 À : Mailing List for Experienced Shorewall Users Objet : Re: [Shorewall-users] 2 DNS behind shorewall Isn''t is just a typing error? You wrote: ############### NS2 ############################################################ DNAT net masq:10.0.100.2:10000 tcp 10131 - DNAT net masq:10.0.100.1 tcp 53,953 - xxx.255.85.131 DNAT net masq:10.0.100.1 udp 53,953 - I guess you mean: ############### NS2 ############################################################ DNAT net masq:10.0.100.2:10000 tcp 10131 - DNAT net masq:10.0.100.2 tcp 53,953 - xxx.255.85.131 DNAT net masq:10.0.100.2 udp 53 - xxx.255.85.131 Best regards, Niels Kristian Jensen Denmark _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
shorewall-users-bounces@lists.shorewall.net wrote:>I change the rules but it''s always the same result. > >I don''t understand you - is the problem solved now? If not, how does your rules file look now? Best regards, Niels Kristian Jensen Denmark
On Friday 06 February 2004 11:11 am, Niels Kristian Jensen wrote:> shorewall-users-bounces@lists.shorewall.net wrote: > >I change the rules but it''s always the same result. > > I don''t understand you - is the problem solved now? > > If not, how does your rules file look now?It''s always good to keep in mind that not all connection problems are Shorewall problems. For example, is the second DNS server configured with the correct default gateway? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net