Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?

[pgbind9 at ml1.net]

Hi

On Fri, Mar 8, 2013, at 02:17 AM, Steven Carr wrote:
> Hi there!
> 
> What tweaking did you need to do to NAT to get it to work? I'm still
> stuck with the problem and it's looking like it's either NAT or a
> fragmentation issue for me :(

I've multiple static IPs.  DNS is not on the default IP; it's mapped
inbound & outound to another of the IPs. I'd neglected to make sure xfer
access to/from the RPZ servers was set up for that IP.

I use

	$IPTABLES -t nat -A POSTROUTING -o eth0  -p tcp -m tcp  -m set 
	--match-set DNSRPZ dst  --dport 53 -j SNAT --to-source
	my.dns.WAN.ip
	$IPTABLES -t nat -A POSTROUTING -o eth0  -p udp -m udp  -m set 
	--match-set DNSRPZ dst  --dport 53 -j SNAT --to-source
	my.dns.WAN.ip
	$IPTABLES -t nat -A POSTROUTING -o eth0  -p tcp -m tcp   --dport
	53 -j SNAT --to-source my.dns.WAN.ip
	$IPTABLES -t nat -A POSTROUTING -o eth0  -p udp -m udp   --dport
	53 -j SNAT --to-source my.dns.WAN.ip

	$IPTABLES -t nat -A POSTROUTING -o eth0  -p tcp -m tcp -m set 
	--match-set DNSRPZ src   --dport 53 -j SNAT --to-source
	my.dns.WAN.ip
	$IPTABLES -t nat -A POSTROUTING -o eth0  -p udp -m udp -m set 
	--match-set DNSRPZ src   --dport 53 -j SNAT --to-source
	my.dns.WAN.ip
	$IPTABLES -t nat -A POSTROUTING -o eth0  -p tcp -m tcp  -s
	my.dns.LAN.ip   --dport 53 -j SNAT --to-source my.dns.WAN.ip
	$IPTABLES -t nat -A POSTROUTING -o eth0  -p udp -m udp  -s
	my.dns.LAN.ip   --dport 53 -j SNAT --to-source my.dns.WAN.ip

where "DNSRPZ" is a simple ipset containing the RPZ source IPs,
(re)loaded as

	$IPSET -exist restore < /fw/ipsets/dnsrpz.ipset

and containing

	cat /fw/ipsets/dnsrpz.ipset
		create DNSRPZ hash:ip family inet hashsize 1024 maxelem
		65536 
		add DNSRPZ 199.168.90.51
		add DNSRPZ 199.168.90.52
		add DNSRPZ 199.168.90.53

hth.