Custom IPTables Rules for DNS Redirect

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

AdrianH

Occasional Visitor
I want to add some rules into iptables so that my Google/Nest smart devices stop calling Google DNS directly, and the Google DNS calls they do are redirected to my AdGuard Home DNS server which will reply with the appropriate DNS records. I know I can probably use DNSFiltering, but want to experiment with IPTable rules.

I originally just blocked the DNS calls as follows:

iptables -I FORWARD -d 8.8.8.8 -j REJECT
iptables -I FORWARD -d 8.8.4.4 -j REJECT

These are my rules to redirect Google DNS to my AGH server (192.168.10.14). I put them together after reading various posts about doing this, they look correct to me?

iptables -t nat -A PREROUTING -p udp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p udp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A POSTROUTING -j MASQUERADE

Also wanting to know which script should I add these rules into.

According to User scripts · RMerl/asuswrt-merlin.ng Wiki · GitHub I could likely use

firewall-start
nat-start


and I am thinking

firewall-start
nat-start


is the correct one.

Any comments or advice will be appreciated
 
Last edited:

ColinTaylor

Part of the Furniture
NAT rules go in nat-start. There is no need for the MASQUERADE rule as there is already one.
 

eibgrad

Very Senior Member
The following ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.8.4 --dport 53 -j DNAT --to 192.168.10.14

... should be ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
 

AdrianH

Occasional Visitor
The following ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.8.4 --dport 53 -j DNAT --to 192.168.10.14

... should be ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14

ah, thanks for picking up my typo. Updated the post.
 

AdrianH

Occasional Visitor
The above rules for redirection is working, the DNS queries are being sent to my AdGuard Home server.

BUT....the issue is that the source of the DNS queries is now the router, and not the device actually doing the DNS query.

Code:
iptables -t nat -A PREROUTING -p udp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p udp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14

As well as with and without this

iptables -t nat -A POSTROUTING -j MASQUERADE

Is there a way to specify in the rule to keep the source IP when redirecting the query to the AGH server?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top