1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Enabled firewall but DNS still is filtered

Discussion in 'Asuswrt-Merlin' started by Turgut Kalfaoglu, May 26, 2020.

  1. Turgut Kalfaoglu

    Turgut Kalfaoglu Occasional Visitor

    Joined:
    Apr 17, 2020
    Messages:
    47
    Hi. I added an exception rule to the firewall, to allow BOTH TCP and UDP to port 53, from/to all, because I run a DNS server. I enabled 'log dropped packages' and disabled DOS protection. Despite these, I get entries in the logs saying that the destination port 53 has been dropped.

    May 26 14:32:32 ns2 kern.warn kernel: DROP IN=eth0 OUT= MAC=a8:5e:45:97:75:c8:08:62:66:d0:bf:c8:08:00 SRC=46.229.168.129 DST=192.168.2.2 LEN=74 TOS=0x00 PREC=0x00 TTL=52 ID=45303 PROTO=UDP SPT=18972 DPT=53 LEN=54
    May 26 14:32:32 ns2 kern.warn kernel: DROP IN=eth0 OUT= MAC=a8:5e:45:97:75:c8:08:62:66:d0:bf:c8:08:00 SRC=46.229.168.129 DST=192.168.2.2 LEN=74 TOS=0x00 PREC=0x00 TTL=51 ID=45339 PROTO=UDP SPT=57318 DPT=53 LEN=54 ​

    What do you suggest I do?

    Many thanks, -t
     
  2. Turgut Kalfaoglu

    Turgut Kalfaoglu Occasional Visitor

    Joined:
    Apr 17, 2020
    Messages:
    47
    Btw, I checked the iptables -L -n , and indeed when I insert an exception to the server list, it is NOT reflected to the iptables.

    So I just manually added a few entries into /jfss/scripts/services-start like:

    /usr/sbin/iptables -I INPUT -p tcp --destination-port 53 -j ACCEPT
    /usr/sbin/iptables -I INPUT -p udp --destination-port 53 -j ACCEPT​

    But this must be a bug since the GUI changes are not reflected here.
     
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,105
    Location:
    UK
    It won't show up with that command because Virtual Server / Port Forwarding creates entries in the nat table not the filter table.

    Where is the DNS server running, on the router or on a server on the LAN?
     
  4. Turgut Kalfaoglu

    Turgut Kalfaoglu Occasional Visitor

    Joined:
    Apr 17, 2020
    Messages:
    47
    Many thanks for the feedback.. DNS bind is running on the router actually.
    -t
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,105
    Location:
    UK
    I can only assume that the router's WAN IP address is 192.168.2.2 in which case Virtual Server / Port Forwarding is the wrong tool to use. You need to put your iptables rules in firewall-start.