gateway iptables dns redirect
You need to put these rules in FORWARD chain:
iptables -A FORWARD -p udp -s 192.168.2.70 -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.70 -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.2.72 -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.72 -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
Give users local DNS servers addresses via DHCP and do not bother to redirect their DNS traffic to local servers - if they manipulate with their network configuration (DNS servers configuration), they will just fail.
Related videos on Youtube
The_cobra666
Updated on September 18, 2022Comments
-
The_cobra666 almost 2 years
I'm having a problem with redirecting pc's dns requests to a local dns server. I want to block access to other dns services except my own. I've found different methods of doing this, none work here. So I must be doing something wrong.
A lot of people suggest using this:
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.2.70:53
But in my config this blocks access to DNS. Also I cannot find why this should work in the first place. Since prerouting is for external users that want access to an internal service right?
I also tried specifying the internal lan interface -i eth1 but, this just cannot work since the internal servers are also on the same interface. That would make a loop right? Servers sends out packets for port 53 and the gateway sends it back to the same server.
Then I would also like to ONLY allow the dns servers on my internal network, to contact other external dns servers. Like:
iptables -A OUTPUT -p udp -s 192.168.2.70 -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 192.168.2.70 -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s 192.168.2.72 -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 192.168.2.72 -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
But I'm guessing that the OUTPUT table is not correct. Since from what I learned, INPUT and OUTPUT are only for the local linux router no?
Information:
Internal dns servers: 192.168.2.70 and 192.168.2.72 External dns server: 208.67.222.220 and 208.67.222.222 LAN interface: ETH1 WAN interface: ETH0
My current firewall config without prerouting&forward rules except one to show how it's configed.
#!/bin/sh -e ifconfig eth1 192.168.2.1/24 echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Flush table's iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F #toestaan SSH verkeer iptables -t nat -A PREROUTING -p tcp --dport 22 -i eth0 -j DNAT --to 192.168.2.1 iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Drop traffic and accept iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT ACCEPT #verkeer naar buiten toe laten en nat aanzetten iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP #toestaan verkeer loopback iptables -A INPUT -i lo -j ACCEPT #toestaan lokaal netwerk iptables -A INPUT -i eth1 -j ACCEPT #accepteren established traffic iptables -A INPUT -i eth0 --match state --state RELATED,ESTABLISHED -j ACCEPT #droppen ICMP boodschappen iptables -A INPUT -p icmp -i eth0 -m limit --limit 10/minute -j ACCEPT iptables -A INPUT -p icmp -i eth0 -j REJECT #RDP forward voor windows servers iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 192.168.2.73 iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
-
The_cobra666 about 11 yearsOmg.. That is indeed correct. Totally forgot about the forward chain. DNS request to other dns servers indeed do not work anymore. Thanks!