gateway iptables dns redirect

domain-name-system iptables redirect gateway
19,934

You need to put these rules in FORWARD chain:

iptables -A FORWARD -p udp -s 192.168.2.70 -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.70 -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -p udp -s 192.168.2.72 -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -p tcp -s 192.168.2.72 -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

Give users local DNS servers addresses via DHCP and do not bother to redirect their DNS traffic to local servers - if they manipulate with their network configuration (DNS servers configuration), they will just fail.

Share:
19,934

Related videos on Youtube

The_cobra666
Author by

The_cobra666

Updated on September 18, 2022

Comments

  • The_cobra666
    The_cobra666 almost 2 years

    I'm having a problem with redirecting pc's dns requests to a local dns server. I want to block access to other dns services except my own. I've found different methods of doing this, none work here. So I must be doing something wrong.

    A lot of people suggest using this:

     iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.2.70:53

    But in my config this blocks access to DNS. Also I cannot find why this should work in the first place. Since prerouting is for external users that want access to an internal service right?

    I also tried specifying the internal lan interface -i eth1 but, this just cannot work since the internal servers are also on the same interface. That would make a loop right? Servers sends out packets for port 53 and the gateway sends it back to the same server.

    Then I would also like to ONLY allow the dns servers on my internal network, to contact other external dns servers. Like:

    iptables -A OUTPUT -p udp -s 192.168.2.70 -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.2.70 -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p udp -s 192.168.2.72 -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p tcp -s 192.168.2.72 -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

    But I'm guessing that the OUTPUT table is not correct. Since from what I learned, INPUT and OUTPUT are only for the local linux router no?

    Information:

    Internal dns servers: 192.168.2.70 and 192.168.2.72 
External dns server: 208.67.222.220 and 208.67.222.222
LAN interface: ETH1
WAN interface: ETH0

    My current firewall config without prerouting&forward rules except one to show how it's configed. 

     #!/bin/sh -e
ifconfig eth1 192.168.2.1/24

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

        #Flush table's
        iptables -F INPUT
        iptables -F OUTPUT
        iptables -F FORWARD
        iptables -t nat -F

        #toestaan SSH verkeer
        iptables -t nat -A PREROUTING -p tcp --dport 22 -i eth0 -j DNAT --to 192.168.2.1
        iptables -A INPUT -p tcp --dport 22 -j ACCEPT

        #Drop traffic and accept
        iptables -P FORWARD DROP
        iptables -P INPUT DROP
        iptables -P OUTPUT ACCEPT

        #verkeer naar buiten toe laten en nat aanzetten
        iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

        iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
        iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

         #toestaan verkeer loopback
        iptables -A INPUT -i lo -j ACCEPT

        #toestaan lokaal netwerk
        iptables -A INPUT -i eth1 -j ACCEPT

        #accepteren established traffic
        iptables -A INPUT -i eth0 --match state --state RELATED,ESTABLISHED -j ACCEPT

        #droppen ICMP boodschappen
        iptables -A INPUT -p icmp -i eth0 -m limit --limit 10/minute -j ACCEPT
        iptables -A INPUT -p icmp -i eth0 -j REJECT

        #RDP forward voor windows servers
        iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 192.168.2.73
        iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
  • The_cobra666
    The_cobra666 about 11 years
    Omg.. That is indeed correct. Totally forgot about the forward chain. DNS request to other dns servers indeed do not work anymore. Thanks!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Redirecting DNS port to a specific DNS server
ip_conntrack_tcp_timeout_established not applied to entire subnet
How can we make our ubuntu server router as gateway mode to router mode?
Redirect requests to my external IP/port to a different external IP/port?
Allow only one website using iptables in a linux router
domain name to virtual directory IIS
Redirecting an entire domain to another in one CNAME record
How do I make a subdomain point to a specific https url?
iptables destination ip and port
SSL certificates for domain without www