What's new

Help with custom iptables

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ajp2k14

Regular Contributor
I would like to redirect all DNS calls to another internal IP so client DNS is forced through it, how do I do that? I tried adding iptable rules in /root/firewall-start.sh but I can't get it to work...


Thanks!
 
I would like to redirect all DNS calls to another internal IP so client DNS is forced through it, how do I do that? I tried adding iptable rules in /root/firewall-start.sh but I can't get it to work...


Thanks!
Check that your script /root/firewall-start.sh is executable. And how do you test that it is working? This script will be called following own NG's logic (I do not know when, but not immediately). Just for test try to run it manually. Then is everything is OK and your rules are working, leave it. FW will call this your script when changing rules (adding your's).

Voxel.
 
Check that your script /root/firewall-start.sh is executable. And how do you test that it is working? This script will be called following own NG's logic (I do not know when, but not immediately). Just for test try to run it manually. Then is everything is OK and your rules are working, leave it. FW will call this your script when changing rules (adding your's).

Voxel.

Thanks, I did try to run it manually and got no errors but it didn't work. I couldn't find a trace of it with iptables --list either...

The command I tried to run was (not sure if it's correct):

iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 192.168.1.2:53;
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 192.168.1.2:53;
iptables -t nat -A POSTROUTING -j MASQUERADE

Thanks!
 
@Voxel Could it be that the R7800 already redirects DNS to itself?

Chain PREROUTING (policy ACCEPT 1233 packets, 103K bytes)

pkts bytes target prot opt in out source destination
0 0 REDIRECT udp -- br0 * 0.0.0.0/0 !192.168.1.1 udp dpt:53 UNKNOWN match `dnshijack' redir ports 53
 
Never mind, I think I got it working! :)

For those interested...

iptables -t nat -A PREROUTING ! -s 192.168.1.2/32 ! -d 192.168.1.2/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.2:53
iptables -t nat -A PREROUTING ! -s 192.168.1.2/32 ! -d 192.168.1.2/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.2:53
 
Never mind, I think I got it working! :)

For those interested...

iptables -t nat -A PREROUTING ! -s 192.168.1.2/32 ! -d 192.168.1.2/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.2:53
iptables -t nat -A PREROUTING ! -s 192.168.1.2/32 ! -d 192.168.1.2/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.2:53
Congratulations! The most important that you were able to find a solution yourself.

Voxel.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top