I'm on Debian 7 trying to forward requests to other machines through firewalld and have the following setup:
--HOSTNAME-- ----IP----- ------------Configuration-------------
Firewall 192.168.0.2 (Debian 7, firewalld, static ip)
DHCP 192.168.0.3 (Debian 7, isc-dhcp-server, static ip)
DNS (Master) 192.168.0.4 (Debian 7, bind9m, static ip)
DNS (Slave) 192.168.0.5 (Debian 7, bind9, static ip)
My firewalld rules on DNS (master and slave)
<zone>
<short>Public</short>
<port protocol="udp" port="53"/>
<port protocol="tcp" port="53"/>
</zone>
My firewalld rules on firewall
<zone>
<short>Public</short>
<forward-port to-addr="192.168.0.4" to-port="53" protocol="tcp" port="53"/>
<forward-port to-addr="192.168.0.4" to-port="53" protocol="udp" port="53"/>
</zone>
When I try to
$ ping hostname.mylocaldomain.com
From any of the machines, it's successful, because I've got everything setup in resolv.conf to use my DNS server. The problem is, I'd like to route all traffic through the firewall. Without going into what the overall goal, I'll describe the problem at hand:
Let's say I change /etc/resolv.conf in DHCP to point at firewall to allow it to route the request to the appropriate place:
search mylocaldomain.com
nameserver 192.168.0.4
nameserver 8.8.8.8
nameserver 8.8.4.4
The ping fails, so I've used tcp dump and get the following
# tcpdump port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:06:01.377752 IP PingFromMe.mylocaldomain.com.47588 > firewall.mylocaldomain.com.domain: 4279+ A? ns2.mylocaldomain.com. (34)
18:06:01.469696 IP PingFromMe.mylocaldomain.com.37619 > firewall.mylocaldomain.com.domain: 36025+ A? ns2.mylocaldomain.com.mylocaldomain.com. (47)
18:06:01.638045 IP firewall.mylocaldomain.com.42684 > ns1.mylocaldomain.com.domain: 41778+ PTR? 6.0.168.192.in-addr.arpa. (42)
18:06:01.639278 IP ns1.mylocaldomain.com.domain > firewall.mylocaldomain.com.42684: 41778* 1/2/0 PTR firewall.mylocaldomain.com. (113)
18:06:01.639486 IP firewall.mylocaldomain.com.36812 > ns1.mylocaldomain.com.domain: 54761+ PTR? 3.0.168.192.in-addr.arpa. (42)
18:06:01.639881 IP ns1.mylocaldomain.com.domain > firewall.mylocaldomain.com.36812: 54761* 1/2/0 PTR PingFromMe.mylocaldomain.com. (107)
18:06:02.641371 IP firewall.mylocaldomain.com.39348 > ns1.mylocaldomain.com.domain: 6957+ PTR? 4.0.168.192.in-addr.arpa. (42)
18:06:02.642031 IP ns1.mylocaldomain.com.domain > firewall.mylocaldomain.com.39348: 6957* 1/2/0 PTR ns1.mylocaldomain.com. (106)
Not sure if I'm looking at this correctly but it APPEARS to me that everything it working, the return traffic just isn't being routed back to PingFromMe.mylocaldomain.com
My question is three fold.
- Is what I think happening here the reason I'm not getting hostname resolution?
- Is firewalld not configured to do routing like this?
- And of course, how do I fix this?
*Note: The IP's SHOULD be the same as in the setup list, so when looking at my tcp capture, just for brevity, refer to the machines by hostname please.
