What's new

Custom IPTables Rules for DNS Redirect

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

AdrianH

Occasional Visitor
I want to add some rules into iptables so that my Google/Nest smart devices stop calling Google DNS directly, and the Google DNS calls they do are redirected to my AdGuard Home DNS server which will reply with the appropriate DNS records. I know I can probably use DNSFiltering, but want to experiment with IPTable rules.

I originally just blocked the DNS calls as follows:

iptables -I FORWARD -d 8.8.8.8 -j REJECT
iptables -I FORWARD -d 8.8.4.4 -j REJECT

These are my rules to redirect Google DNS to my AGH server (192.168.10.14). I put them together after reading various posts about doing this, they look correct to me?

iptables -t nat -A PREROUTING -p udp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p udp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A POSTROUTING -j MASQUERADE

Also wanting to know which script should I add these rules into.

According to User scripts · RMerl/asuswrt-merlin.ng Wiki · GitHub I could likely use

firewall-start
nat-start


and I am thinking

firewall-start
nat-start


is the correct one.

Any comments or advice will be appreciated
 
Last edited:
The following ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.8.4 --dport 53 -j DNAT --to 192.168.10.14

... should be ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
 
The following ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.8.4 --dport 53 -j DNAT --to 192.168.10.14

... should be ...

iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14

ah, thanks for picking up my typo. Updated the post.
 
The above rules for redirection is working, the DNS queries are being sent to my AdGuard Home server.

BUT....the issue is that the source of the DNS queries is now the router, and not the device actually doing the DNS query.

Code:
iptables -t nat -A PREROUTING -p udp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.8.8 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p udp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14
iptables -t nat -A PREROUTING -p tcp -d 8.8.4.4 --dport 53 -j DNAT --to 192.168.10.14

As well as with and without this

iptables -t nat -A POSTROUTING -j MASQUERADE

Is there a way to specify in the rule to keep the source IP when redirecting the query to the AGH server?
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top