USB Networking vs. iptables

Joel Newkirk freerunner at newkirk.us
Thu Sep 18 21:55:15 CEST 2008


I notice that you list the DNS server as 212.6.108.140
(resolver0.ewetel.de), but have the DNAT rules pointing at 212.6.181.140
(an unnamed IP that seems to be owned by 'claranet')...  Checking from the
'outside' (IE I'm not on your ISP's network, and I presume you are within
the ewetel.de network) 212.6.108.140 is a DNS server which won't let me do
recursive lookups, which is normal, but 212.6.181.140 seems unoccupied at
this time, or 100% firewalled.

If that doesn't resolve it, what's in your FORWARD and INPUT chains?  Can
you post the output of "iptables -vnL"?  (the -'v' for verbose means the
output will include counts of packets/bytes that matched each rule - useful
for debugging sometimes when unexpected zeros appear)  "iptables -vnL"
shows all the filter chains, INPUT/OUTPUT/FORWARD. (plus any custom chains)
 INPUT would affect packets from the Freerunner to the FC6 box (IE, when
resolv.conf points at 192.168.0.200) while FORWARD would affect packets
when you have the outside DNS server in resolv.conf.

j


On Thu, 18 Sep 2008 17:22:29 +0000, Christian Weßel <wesselch at gmx.net>
wrote:
> Hello mokos,
> 
> I just have a DNS problem, I try to configure my FC6 following the guide
> http://wiki.openmoko.org/wiki/USB_Networking#Proxying_with_iptables
> because I have a simple static environment for my FR.
> 
> FR.usb.ip = 192.168.0.202
> server.usb.ip = 192.168.0.200
> server.eth.ip = 192.168.1.10
> router.eth.ip = 192.168.1.254
> DNS.ip = 212.6.108.140
> 
> on server:
> [root at server ~]# cat /etc/resolv.conf 
> search home
> nameserver 212.6.108.140
> nameserver 212.6.108.141
> 
> [root at server ~]# iptables -L -t nat --line-numbers -n
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source               destination         
> 1    DNAT       tcp  --  192.168.0.202        192.168.0.200       tcp
> dpt:53 to:212.6.181.140 
> 2    DNAT       udp  --  192.168.0.202        192.168.0.200       udp
> dpt:53 to:212.6.181.140 
> 
> Chain POSTROUTING (policy ACCEPT)
> num  target     prot opt source               destination         
> 1    MASQUERADE  all  --  192.168.0.0/24       0.0.0.0/0           
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 
> on FR:
> root at om-gta02:~# cat /etc/resolv.conf 
> nameserver 192.168.0.200
> 
> root at om-gta02:~# ping 74.125.19.147 -c 1
> PING 74.125.19.147 (74.125.19.147): 56 data bytes
> 64 bytes from 74.125.19.147: seq=0 ttl=236 time=182.480 ms
> 
> --- 74.125.19.147 ping statistics ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 182.480/182.480/182.480 ms
> 
> root at om-gta02:~# nslookup www.google.com
> Server:    192.168.0.200
> Address 1: 192.168.0.200
> 
> nslookup: can't resolve 'www.google.com'
> 
> For me the masqueration seems to be fine, just something with DNAT is
> wrong.
> If I change the FR.resolv.conf to 'nameserver 212.6.181.140' it also not
> working.
> 
> But what's wrong?
> 
> BTW: I got no SElinux security alerts, neither in secure nor in
> messages.
>





More information about the community mailing list