[TriLUG] Re: Firewall for my webserver (IPTABLES)

Mon Jun 9 08:38:30 EDT 2003

Just a WAG, but have you tried setting the Named so that it responds
from the external interface?  

>From "man named.conf"

<...snip>

Interfaces
 The interfaces and ports that the server will answer queries from may
 be specified using the listen-on option.  listen-on takes an optional
 port, and an address match list.  The server will listen on all inter-
 faces allowed by the address match list.  If a port is not specified,
 port 53 will be used.

 Multiple listen-on statements are allowed.  For example,

     listen-on { 5.6.7.8; };
     listen-on port 1234 { !1.2.3.4; 1.2/16; };

 will enable the nameserver on port 53 for the IP address 5.6.7.8, and
 on port 1234 of an address on the machine in net 1.2 that is not
 1.2.3.4.

 If no listen-on is specified, the server will listen on port 53 on all
 interfaces.
======

If that doesn't work, then use tcpdump or ethereal to capture dns
request going to and from the server.  You can do it with the
firewall/NAT down (when it works) and then compare that to when the
firewall/NAT is up (and it doesn't work for Win98 clients).

Good Luck - Jon Carnes 

On Sun, 2003-06-08 at 15:40, Chris Knowles wrote:
> Well, I've seen something about this in the past.  only two things pop
> to mind...
> 
> 1) try dropping the firewall to make *sure* that that is not the
> problem.
> 
> 2) Doing a little googling, I found a couple of people for whom the
> solution was to uninstall the TCP/IP protocol,.reboot, and reconfigure
> it.
> 
> But on the good side, from even a cursory googling, on "linux dns
> windows 98" it appears that you aren't the only person suffering this
> problem.
> 
> CJK
> 
> On Sun, 2003-06-08 at 13:46, Jerry M. Howell II wrote:
> > On Sat, Jun 07, 2003 at 11:38:41PM -0600, Jerry M. Howell II wrote:
> > > Hello everyone,
> > > 
> > >    I'm curently running adminning my wifes webserver at
> > >    gamma.hostbyk.com. We are running redhat 7.3 with a generic 2.4.20
> > >    kernel custom compiled with all the iptables/NAT goodies. I go to
> > >    enable the firewall and thats where I runn into problems. I can view
> > >    the webserver, about 75% of my clients can but there are some that go
> > >    through compuserve, earthlink and aol that can't seem to access
> > >    anything once I start the firewall. No email, ftp, can't ping it or
> > >    pull up a webpage. Thought it was probably ICMP so I allowed that
> > >    through but still nothing. Might someone have any sugestions? here is
> > >    the output from /usr/local/iptables-save wich is iptables-1.2.8 BTW.
> > > 
> > > My firewall script can be found at http://www.jmhowell.com/fire.html if
> > > you wanna look that over as well. Thnx for any advice that can be given.
> > > Any time warner admins feal free to spill the beens as well if you know
> > > of anything :)
> > > 
> > Just a little addition. I think I have the issue narowed down. My cousin
> > can access the sites through win2k, and linux but not through win98, the
> > clients that can't access it are also useing win98. As crazy as it
> > sounds I think it's a windows 98 problem accessing dns even through the
> > firewall even though the proper ports are open. Any ideas?