0

I'm having a tough time figuring this one out.

I have the following network:

(Internet)--(firewall) -- (PC1 (Ubuntu 20.04)) -- (PC2 (Fedora, 192.168.0.2))

PC1 has two NICs, (enp4s0) faces the firewall, (eno0) faces PC2

The firewall shown is blocking all outgoing DNS requests and I cannot change that. PC2 needs access to 8.8.8.8 and I also can't change that. However PC1 does have internet access so long as it uses an internal DNS server, let's call it 192.169.100.100, and is running the following UFW configuration. Note that

# Nat table rules *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Forward traffic from eno1 through enp4s0 -A PREROUTING -i enp4s0 -p udp --dport 53 -j DNAT --to-destination 192.169.100.100 -A POSTROUTING -s 192.168.0.0/24 -o enp4s0 -j MASQUERADE # process the nat table rules COMMIT

As you can see all traffic gets forwarded from PC2 through PC1. That works fine. PC2 can ping 8.8.8.8 without issue. However since PC2 attempts to resolve addresses with 8.8.8.8 and those get blocked by the firewall I'm not able to use PC2 as required. What I'd like to do is route any DNS requests for 8.8.8.8 to 192.169.100.100 so that they resolve.

Is that possible? If so, any ideas of what I'm doing wrong as I'm rather stumped. I've been staring at wireshark and watching the packets try to reach 8.8.8.8 for a while now.

Thanks!

Improve this question
3
  • Why are you matching with -i enp4s0 instead of -i eno1 in your DNAT rule? What exactly are the two interfaces facing / connected respectively? Commented Jun 28, 2022 at 5:51
  • Ah, formatting didn't work out, I'll fix that. enp4s0 is the NIC that faces PC2, while eno0 faces the internet. Commented Jun 28, 2022 at 19:17
  • Ugh, your answer have edit opposite to your comment. Do you even have a clear idea which interface is which? Regardless, your quoted rules also have the comment Forward traffic from eno1 through enp4s0. More importantly, your DNAT rule has -i enp4s0 and your MASQUERADE rule has -o enp4s0. So why isn't eno1 involved at all? Commented Jun 29, 2022 at 1:54

1 Answer 1

Reset to default
0

Install bind9 or some other dns server that can forward requests on the Ubuntu box, and point the Fedora's nameserver entry at the Ubuntu box's IP.

The default install of bind9 on Debian and derivatives (like Ubuntu) is to act as a caching name server that queries the root servers. If you go this route and the Ubuntu box can't reach them, look into using the forwarders option in /etc/bind/named.conf.options

Note that you already have an internal proxy dns server going thanks to the way systemd "needs" to work but I don't know if it is possible to expose that as a service on your LAN.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.