Help with nat-start script

[MaxTO]

Hi,

I just installed asuswrt-merlin (3.0.0.4.374.35_2) onto my RT-N66U router. I have it setup so that it uses OpenDNS. However, I noticed that if the DNS settings are changed on the PC to something like 8.8.8.8 then it bypasses using OpenDNS.

To address this, I wanted to install a script that would override this and would always use the DNS servers (i.e. OpenDNS) I have configured within the router.

I named the script "nat-start" and uploaded into "/jffs/scripts"

#!/bin/sh
iptables -I FORWARD 7 -p udp -o `nvram get wan0_ifname` -d 208.67.222.222 --dport 53 -j ACCEPT
iptables -I FORWARD 8 -p udp -o `nvram get wan0_ifname` -d 208.67.220.220 --dport 53 -j ACCEPT
iptables -I FORWARD 9 -p udp -o `nvram get wan0_ifname` --dport 53 -j DROP

However, it still seems that the adapter DNS settings are working and I can bypass the router's OpenDNS servers.

What am I doing wrong?

Thank you!

 

[RMerlin]

Hi,

I just installed asuswrt-merlin (3.0.0.4.374.35_2) onto my RT-N66U router. I have it setup so that it uses OpenDNS. However, I noticed that if the DNS settings are changed on the PC to something like 8.8.8.8 then it bypasses using OpenDNS.

To address this, I wanted to install a script that would override this and would always use the DNS servers (i.e. OpenDNS) I have configured within the router.

I named the script "nat-start" and uploaded into "/jffs/scripts"

#!/bin/sh
iptables -I FORWARD 7 -p udp -o `nvram get wan0_ifname` -d 208.67.222.222 --dport 53 -j ACCEPT
iptables -I FORWARD 8 -p udp -o `nvram get wan0_ifname` -d 208.67.220.220 --dport 53 -j ACCEPT
iptables -I FORWARD 9 -p udp -o `nvram get wan0_ifname` --dport 53 -j DROP

However, it still seems that the adapter DNS settings are working and I can bypass the router's OpenDNS servers.

What am I doing wrong?

Thank you!

That example was written quite a while ago, and might break depending on your particular configuration.

I would recommend changing the 7, 8 and 9 values to insert them at the start of the forward chain instead - might work better. Change them for 1, 2 and 3, for testing purposes.

 

[MaxTO]

Hi RMerlin,

I made the change you recommended and it appears to be working correctly now - Thank you!

An additional question...if I need a few specific devices to bypass this, can I assign a static (internal) IP address to them and add to the script so that they would use a different DNS (such as 8.8.8.8)?

 

[Gerrit]

Hi RMerlin,

I made the change you recommended and it appears to be working correctly now - Thank you!

An additional question...if I need a few specific devices to bypass this, can I assign a static (internal) IP address to them and add to the script so that they would use a different DNS (such as 8.8.8.8)?

Hi, I would also like to add some IP's that bypass OpenDNS. Did you get a solution to this?

 

[sydlexia]

Hi RMerlin,

I made the change you recommended and it appears to be working correctly now - Thank you!

An additional question...if I need a few specific devices to bypass this, can I assign a static (internal) IP address to them and add to the script so that they would use a different DNS (such as 8.8.8.8)?

Hi, I would also like to add some IP's that bypass OpenDNS. Did you get a solution to this?

This should work if you assign DNS via DHCP. If a user tries to specify an alternate DNS they will fail. This is handled in the FORWARD chain.

Route specific source addr to a specific destination (i.e. 8.8.8.8) with nat PREROUTING

iptables -t nat -I PREROUTING 1 -s [static ip_addr] -p udp --dport 53 -j DNAT --to 8.8.8.8:53
iptables -t nat -I PREROUTING 2 -s [static ip_addr] -p tcp --dport 53 -j DNAT --to 8.8.8.8:53

iptables -I FORWARD 1 -p udp -o `nvram get wan0_ifname` -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -I FORWARD 2 -p tcp -o `nvram get wan0_ifname` -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -I FORWARD 3 -p udp -o `nvram get wan0_ifname` -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I FORWARD 4 -p tcp -o `nvram get wan0_ifname` -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I FORWARD 5 -o `nvram get wan0_ifname` --dport 53 -j DROP

That should work for you. It's late, I may have missed something.

 

[Gerrit]

This should work if you assign DNS via DHCP. If a user tries to specify an alternate DNS they will fail. This is handled in the FORWARD chain.

Route specific source addr to a specific destination (i.e. 8.8.8.8) with nat PREROUTING

iptables -t nat -I PREROUTING 1 -s [static ip_addr] -p udp --dport 53 -j DNAT --to 8.8.8.8:53
iptables -t nat -I PREROUTING 2 -s [static ip_addr] -p tcp --dport 53 -j DNAT --to 8.8.8.8:53

iptables -I FORWARD 1 -p udp -o `nvram get wan0_ifname` -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -I FORWARD 2 -p tcp -o `nvram get wan0_ifname` -d 208.67.222.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -I FORWARD 3 -p udp -o `nvram get wan0_ifname` -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I FORWARD 4 -p tcp -o `nvram get wan0_ifname` -d 208.67.222.220 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I FORWARD 5 -o `nvram get wan0_ifname` --dport 53 -j DROP

That should work for you. It's late, I may have missed something.

Hallo Sydlexia,

Thank you for the reply. It works 100%!!

Regards
Gerrit