USB Networking vs. iptables
Joel Newkirk
freerunner at newkirk.us
Thu Sep 18 21:55:15 CEST 2008
I notice that you list the DNS server as 212.6.108.140
(resolver0.ewetel.de), but have the DNAT rules pointing at 212.6.181.140
(an unnamed IP that seems to be owned by 'claranet')... Checking from the
'outside' (IE I'm not on your ISP's network, and I presume you are within
the ewetel.de network) 212.6.108.140 is a DNS server which won't let me do
recursive lookups, which is normal, but 212.6.181.140 seems unoccupied at
this time, or 100% firewalled.
If that doesn't resolve it, what's in your FORWARD and INPUT chains? Can
you post the output of "iptables -vnL"? (the -'v' for verbose means the
output will include counts of packets/bytes that matched each rule - useful
for debugging sometimes when unexpected zeros appear) "iptables -vnL"
shows all the filter chains, INPUT/OUTPUT/FORWARD. (plus any custom chains)
INPUT would affect packets from the Freerunner to the FC6 box (IE, when
resolv.conf points at 192.168.0.200) while FORWARD would affect packets
when you have the outside DNS server in resolv.conf.
j
On Thu, 18 Sep 2008 17:22:29 +0000, Christian Weßel <wesselch at gmx.net>
wrote:
> Hello mokos,
>
> I just have a DNS problem, I try to configure my FC6 following the guide
> http://wiki.openmoko.org/wiki/USB_Networking#Proxying_with_iptables
> because I have a simple static environment for my FR.
>
> FR.usb.ip = 192.168.0.202
> server.usb.ip = 192.168.0.200
> server.eth.ip = 192.168.1.10
> router.eth.ip = 192.168.1.254
> DNS.ip = 212.6.108.140
>
> on server:
> [root at server ~]# cat /etc/resolv.conf
> search home
> nameserver 212.6.108.140
> nameserver 212.6.108.141
>
> [root at server ~]# iptables -L -t nat --line-numbers -n
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 DNAT tcp -- 192.168.0.202 192.168.0.200 tcp
> dpt:53 to:212.6.181.140
> 2 DNAT udp -- 192.168.0.202 192.168.0.200 udp
> dpt:53 to:212.6.181.140
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> on FR:
> root at om-gta02:~# cat /etc/resolv.conf
> nameserver 192.168.0.200
>
> root at om-gta02:~# ping 74.125.19.147 -c 1
> PING 74.125.19.147 (74.125.19.147): 56 data bytes
> 64 bytes from 74.125.19.147: seq=0 ttl=236 time=182.480 ms
>
> --- 74.125.19.147 ping statistics ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 182.480/182.480/182.480 ms
>
> root at om-gta02:~# nslookup www.google.com
> Server: 192.168.0.200
> Address 1: 192.168.0.200
>
> nslookup: can't resolve 'www.google.com'
>
> For me the masqueration seems to be fine, just something with DNAT is
> wrong.
> If I change the FR.resolv.conf to 'nameserver 212.6.181.140' it also not
> working.
>
> But what's wrong?
>
> BTW: I got no SElinux security alerts, neither in secure nor in
> messages.
>
More information about the community
mailing list