I am having problems setting up DNS rules for ipchains on my machine. Here is the problem. I have set the default policy to deny all. Then I began setting up the rules as I need them--http, smtp, pop, outbound icmp (tracerout, fragmentation-needed, ping) etc. No problems at all. Then, when I set up rules for DNS I encounted massive packet loss. I am a client of my ISP's name servers. My rules go as follows--

ipchains -A output -i $EXTERNAL_NIC -p udp -s $IPADDR $UNPRIVPORTS -d $NS_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_NIC -p udp -s $NS_1 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT

In addition, I have rules set up for the occasional tcp lookup. Now, after installing these chains, I experience about 80% packet loss when trying to ping a machine next to me on the LAN. Not to mention that I ping it by its ip address and not its host name. And ,when I comment out the above DNS rules, the packet loss with ping stops. Also, no packet loss when pinging that machine from any other machine on the LAN. The problem is specific to my Linux box. Any suggestions. Am I setting up the client-side DNS chains wrong? And how would this effect ping when it runs on icmp and not udp? Host lookup works with these rules but not the way it should. Please help.

maybe this will help, here are mine and it works beautifully:


#DNS
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 53 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 53 -j ACCEPT

$REMOTENET=0/0
$OUTERNET=ip address

In fact, even the command ipchains -L takes a long time to execute when the above rules are uncommented. Weird.

ipchains -L takes a while on my system too, that's normal, I believe http://www.linuxnewbie.org/ubb/smile.gif espsecially when you have a bunch of rules. did my rules work, or haven't tried em yet?

No, haven't tried them yet, but will let you know tomorrow when I give it another shot. Another question for those interested: if you are port forwarding from your firewall to your sendmail server, what ip would be reflected in your MX records? The firewall or the server. For instance, if you are masquarding the servers on your DMZ and using a private address range. Is this possible?

Thanks for the help, but I finally figured it out. My ISP's primary name server is down. This entry is the first rule in my DNS chain set; they have three name servers. I guess it took a while for DNS requests to fail and fallover to the next NS in the rule set. This also caused extreme packet loss when pinging anything via IP address. Does anyone know what would cause this? I'm at a loss.