[ale] DNS woes w/Devil Linux

Joe Knapka jknapka at kneuro.net
Mon Feb 16 15:01:53 EST 2004 

Jonathan Glass <jonathan.glass at ibb.gatech.edu> writes:

Thanks, Jonathan. [Putting this here because otherwise
it will get lost in the shell output below:-]

> Long shot, but does Devil Linux use tcp_wrappers?  Have you checked
> /etc/hosts.allow and /etc/hosts.deny?

It does not appear to use tcp_wrappers; /etc/hosts.allow et al do
not exist. It does run BIND in a chroot jail, but the hosts.*
are missing there as well.

> Check your /etc/named.conf file for anything relating to allowed
> clients.

named.conf is extremely minimal. It contains only:

options {
  listen-on { 192.168.81.14; 192.168.71.1; };
};

(the internal and wireless interfaces, respectively).
I'm really not sure how this configuration achieves
forward-only behavior; I seem to remember having to
do something rather more complicated when I was
setting BIND up manually on my previous router.
But it does seem to work, for queries from the internal
net.

> Also, what does 'iptables -L -n' report?

Here goes. Incidentally, if I flush all the firewall rules
and change all the policies to ACCEPT, I *still* can't
get DNS to work on the wireless net. Strange, no?

eth0 is the cable modem, eth1 is internal wired LAN,
eth2 is wireless. Notes about what I think is supposed to
happen in #comments.

root at airwall:~ # iptables -L -v -n
Chain INPUT (policy DROP 3858 packets, 205K bytes)
 pkts bytes target     prot opt in     out     source     destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0  0.0.0.0/0           
  696 44722 ACCEPT     all  --  eth1   *       0.0.0.0/0  0.0.0.0/0           
  838  134K ACCEPT     all  --  *      *       0.0.0.0/0  0.0.0.0/0           state RELATED,ESTABLISHED 
   61  4584 ACCEPT     icmp --  *      *       0.0.0.0/0  0.0.0.0/0           
    0     0 REJECT     tcp  --  eth0   *       0.0.0.0/0  0.0.0.0/0           tcp dpt:113 reject-with tcp-reset 
# Here we should be allowing DNS reqs from wireless-land.
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0  0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  eth2   *       0.0.0.0/0  0.0.0.0/0           udp dpt:53 
  697  242K DROP       all  --  *      *       0.0.0.0/0  255.255.255.255     
    0     0 DROP       all  --  *      *       0.0.0.0/0  224.0.0.0/8         
  463 24951 LOG        all  --  *      *       0.0.0.0/0  0.0.0.0/0           limit: avg 3/min burst 3 LOG flags 0 level 4 prefix `INPUT policy: ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source     destination         
    0     0 ACCEPT     tcp  --  eth2   eth1    0.0.0.0/0  192.168.81.28       tcp dpt:9100 
    0     0 LOG        all  --  eth0   *       0.0.0.0/0  0.0.0.0/0           state INVALID,NEW LOG flags 0 level 4 prefix `FORWARD INVALID: ' 
    0     0 DROP       all  --  eth0   *       0.0.0.0/0  0.0.0.0/0           state INVALID,NEW 
 518K  466M ACCEPT     all  --  *      *       0.0.0.0/0  0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0  0.0.0.0/0           state NEW 
    1    92 LOG        all  --  eth2   eth1    0.0.0.0/0  0.0.0.0/0           LOG flags 0 level 4 prefix `DMZ->IN: ' 
    1    92 DROP       all  --  eth2   eth1    0.0.0.0/0  0.0.0.0/0           
20568  989K ACCEPT     all  --  eth2   *       0.0.0.0/0  0.0.0.0/0           state NEW 
    0     0 LOG        all  --  *      *       0.0.0.0/0  0.0.0.0/0           limit: avg 3/min burst 3 LOG flags 0 level 4 prefix `FORWARD policy: ' 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source     destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0  0.0.0.0/0           
  589  169K ACCEPT     all  --  *      eth1    0.0.0.0/0  0.0.0.0/0           
# Here we should be allowing DNS replies to hosts on the wireless side.
  412 70950 ACCEPT     all  --  *      eth2    0.0.0.0/0  0.0.0.0/0           
  899 64542 ACCEPT     all  --  *      *       0.0.0.0/0  0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0  0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0  0.0.0.0/0           limit: avg 3/min burst 3 LOG flags 0 level 4 prefix `OUTPUT policy: ' 
root at airwall:~ # iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 825 packets, 47391 bytes)
 pkts bytes target     prot opt in     out     source               destination         
# This seems to just kill off wayward Microsofties.
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:135 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:137:139 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
# Masq everything going to The World.
  575 27715 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 2 packets, 131 bytes)
 pkts bytes target     prot opt in     out     source               destination         
root at airwall:~ #

Cheers,

-- Joe Knapka

-- 
Barney comes to play with us whenever we may need him;
Someday we will hunt him down and chop him up and eat him!
   -- Annze, age 7
--
If you really want to get my attention, send mail to
jknapka .at. kneuro .dot. net.

More information about the Ale mailing list