DNS Filter/iptables to redirect dns requests with multiple ip filtering

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

amoney

Occasional Visitor
Hi All

My setup using iptables has been working well. I have the following code to redriect all dns requests back to my pihole

Code:
iptables -t nat -A PREROUTING ! -s 192.168.1.63 -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.63:53
iptables -t nat -A PREROUTING ! -s 192.168.1.63 -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.63:53
Now what i am setting up is a backup pihole + keelalived for a virtual ip. I plan on setting the dns setting under lan to the virtual ip. I want to figure out how i can update the above rule so it checks this for 3 different source ip's. I dont know enough about iptables to figure out how configure it so that it only allows 3 specific ip's to make dns calls.

I have looked at the DNS filter page and that looks promising with the router option. How ever it does filtering based on mac address and my 2nd Pihole will be a docker container so its mac address might change. So i was thinking if it was possible to do this with iptables it might require less hand holding.
 

amoney

Occasional Visitor
Would this set of rules work? assuming to dns servers are 192.168.1.[63,253] and 192.168.1.254 is the virtual ip.

Just read up on chains and it mentioned that rules are checked sequentially and when it finds a match it wont check the other rules. So i think this should work.

Code:
iptables -t nat -A PREROUTING -s 192.168.1.63,192.168.1.253 -i br0 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.1.63,192.168.1.253 -i br0 -p udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.254:53
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.254:53
edit: updated syntax
 
Last edited:

amoney

Occasional Visitor
The problem with firewall rules is they don't function like we would want, meaning configuring this way with two ip addresses may not work. @RMerlin , what would be an acceptable method to achieve this?
Ah good to know lets see what RMerlin has to say. iptables output shows this

Code:
[email protected]:/tmp/home/root# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1928 packets, 328K bytes)
 pkts bytes target     prot opt in     out     source               destination   
    0     0 ACCEPT     tcp  --  br0    *       192.168.1.63         0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     tcp  --  br0    *       192.168.1.253        0.0.0.0/0            tcp dpt:53
  572 37380 ACCEPT     udp  --  br0    *       192.168.1.63         0.0.0.0/0            udp dpt:53
  185 12515 ACCEPT     udp  --  br0    *       192.168.1.253        0.0.0.0/0            udp dpt:53
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:192.168.1.254:53
  285 17813 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:192.168.1.254:53
 

ColinTaylor

Part of the Furniture
Ah good to know lets see what RMerlin has to say.
I don't want to sound rude but I don't understand why you aren't just working this out for yourself (and the help of internet resources). Few people are going to have a setup quite like yours and by the time they reply you could have found the answer on your own.

Secondly, expecting RMerlin to provide one to one tuition on what is essentially a generic (i.e. not firmware related) iptables question seems rather presumptuous and a waste of his time.
 

SomeWhereOverTheRainBow

Very Senior Member
Ah good to know lets see what RMerlin has to say. iptables output shows this

Code:
[email protected]:/tmp/home/root# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1928 packets, 328K bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     tcp  --  br0    *       192.168.1.63         0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     tcp  --  br0    *       192.168.1.253        0.0.0.0/0            tcp dpt:53
  572 37380 ACCEPT     udp  --  br0    *       192.168.1.63         0.0.0.0/0            udp dpt:53
  185 12515 ACCEPT     udp  --  br0    *       192.168.1.253        0.0.0.0/0            udp dpt:53
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:192.168.1.254:53
  285 17813 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:192.168.1.254:53
I don't want to sound rude but I don't understand why you aren't just working this out for yourself (and the help of internet resources). Few people are going to have a setup quite like yours and by the time they reply you could have found the answer on your own.

Secondly, expecting RMerlin to provide one to one tuition on what is essentially a generic (i.e. not firmware related) iptables question seems rather presumptuous and a waste of his time.
Yea it is hard to answer a question like this without knowing what router model && firmware version you are running. Also it is hard to establish whether the iptables version on the firmware is capable of such. If so you would probably need to reference the internet more as most people do not run this setup as @ColinTaylor has mentioned.
 

dave14305

Part of the Furniture
Can you change all the DNS IP addresses to be within a small narrow range and then specify a CIDR block 192.168.1.4/30 (for example, giving you .4 to .7). This was a popular method in the FreshJR QoS thread for multiple gaming devices.
 

Martineau

Part of the Furniture
Hi All

My setup using iptables has been working well. I have the following code to redriect all dns requests back to my pihole

Code:
iptables -t nat -A PREROUTING ! -s 192.168.1.63 -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.63:53
iptables -t nat -A PREROUTING ! -s 192.168.1.63 -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.63:53
Now what i am setting up is a backup pihole + keelalived for a virtual ip. I plan on setting the dns setting under lan to the virtual ip. I want to figure out how i can update the above rule so it checks this for 3 different source ip's. I dont know enough about iptables to figure out how configure it so that it only allows 3 specific ip's to make dns calls.

I have looked at the DNS filter page and that looks promising with the router option. How ever it does filtering based on mac address and my 2nd Pihole will be a docker container so its mac address might change. So i was thinking if it was possible to do this with iptables it might require less hand holding.
Can you not populate an IPSET or (IPSET Group) with the three IP addresses (and/or MACs if you prefer)

e.g. addresses are just random
Code:
ipset create DNS_REDIRECT hash:net comment

ipset add DNS_REDIRECT  192.168.1.111
ipset add DNS_REDIRECT  192.168.1.222
ipset add DNS_REDIRECT  192.168.1.123

ipset list DNS_REDIRECT

Name: DNS_REDIRECT
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 640
References: 0
Number of entries: 3
Members:
192.168.1.111
192.168.1.222
192.168.1.123
then have two simples rules to '-j DNAT' only the three IPs
Code:
iptables -t nat -A PREROUTING -m set --match-set DNS_REDIRECT  src  -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.63:53
iptables -t nat -A PREROUTING -m set --match-set DNS_REDIRECT  src  -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.63:53
or am I missing something?
 
Last edited:

amoney

Occasional Visitor
HI all thanks for all your input. I am sorry i did not see any email notifications for these reponses so never knew people had other suggestions. Thanks for all your inputs @ColinTaylor / @SomeWhereOverTheRainBow / @dave14305

@Martineau thanks for the IPSET suggestion. I am not aware of this and will be spending time trying to understand how this feature works. I have never used it before.

I assumed the rules were being interpretted correctly because iptables was listing them as i would have expected them

Code:
[email protected]:/tmp/home/root# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 3365 packets, 403K bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1394
  511 48170 VSERVER    all  --  *      *       0.0.0.0/0            67.164.106.40      
    0     0 ACCEPT     tcp  --  br0    *       192.168.1.63         0.0.0.0/0            tcp dpt:53
    1    60 ACCEPT     tcp  --  br0    *       192.168.1.253        0.0.0.0/0            tcp dpt:53
  182 13641 ACCEPT     udp  --  br0    *       192.168.1.63         0.0.0.0/0            udp dpt:53
  589 39650 ACCEPT     udp  --  br0    *       192.168.1.253        0.0.0.0/0            udp dpt:53
    0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:192.168.1.254:53
  520 31873 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:192.168.1.254:53
    2   120 DNAT       tcp  --  tun+   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:63226 to:192.168.1.21:32400
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            89.46.114.84         udp dpt:9934 to:192.168.1.63:54930
   19  1398 YazFiDNSFILTER  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 YazFiDNSFILTER  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53


[email protected]:/tmp/home/root# iptables -V
iptables v1.4.15
[email protected]:/tmp/home/root#
Anyways i am now running asus merlin 384.17

I just happended to get back to this thread as i was curious about the settings and wanted to tinker for no reason. Again i do apologize for no response.
 

amoney

Occasional Visitor
@Martineau apprecaite the IPSET knowledge drop. My setup was working earlier but i decided to learn a bit about ipset and use it instead of my current rules. Just had to change the iptables command to do a ! match. Here is my new code i am running

Code:
# check if dns redirect ipset exists or not.
ipset -q -L DNS_REDIRECT
if [ $? -ne 0 ]; then
  echo "setup DNS_REDIRECT ipset" | logger -t nat-start
  ipset -N DNS_REDIRECT hash:net comment
  ipset -A DNS_REDIRECT  192.168.1.253 comment 'Pi-hole Master'
  ipset -A DNS_REDIRECT  192.168.1.254 comment 'Pi-hole HA'
  ipset -A DNS_REDIRECT  192.168.1.63 comment 'Pi-hole Backup'
fi

# show the ipset info
ipset -L DNS_REDIRECT | logger -t nat-start

iptables -t nat -A PREROUTING -m set ! --match-set DNS_REDIRECT  src  -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.254:53
iptables -t nat -A PREROUTING -m set ! --match-set DNS_REDIRECT  src  -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.254:53
Tinkering continues.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top