Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?
pgbind9 at ml1.net
pgbind9 at ml1.net
Fri Mar 8 16:13:32 UTC 2013
Hi
On Fri, Mar 8, 2013, at 02:17 AM, Steven Carr wrote:
> Hi there!
>
> What tweaking did you need to do to NAT to get it to work? I'm still
> stuck with the problem and it's looking like it's either NAT or a
> fragmentation issue for me :(
I've multiple static IPs. DNS is not on the default IP; it's mapped
inbound & outound to another of the IPs. I'd neglected to make sure xfer
access to/from the RPZ servers was set up for that IP.
I use
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -m set
--match-set DNSRPZ dst --dport 53 -j SNAT --to-source
my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp -m set
--match-set DNSRPZ dst --dport 53 -j SNAT --to-source
my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport
53 -j SNAT --to-source my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp --dport
53 -j SNAT --to-source my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -m set
--match-set DNSRPZ src --dport 53 -j SNAT --to-source
my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp -m set
--match-set DNSRPZ src --dport 53 -j SNAT --to-source
my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s
my.dns.LAN.ip --dport 53 -j SNAT --to-source my.dns.WAN.ip
$IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp -s
my.dns.LAN.ip --dport 53 -j SNAT --to-source my.dns.WAN.ip
where "DNSRPZ" is a simple ipset containing the RPZ source IPs,
(re)loaded as
$IPSET -exist restore < /fw/ipsets/dnsrpz.ipset
and containing
cat /fw/ipsets/dnsrpz.ipset
create DNSRPZ hash:ip family inet hashsize 1024 maxelem
65536
add DNSRPZ 199.168.90.51
add DNSRPZ 199.168.90.52
add DNSRPZ 199.168.90.53
hth.
More information about the bind-users
mailing list