IPtables to allow guest clients only DNS access to a DNS server

[Jack Yaz]

I have created a guest network script. I want to allow the guest network access to a DNS server running in the primary subnet 10.14.16.2 (PiHole)

I have the below rules. My question is, do I need the last one for the clients to work properly. Or is it best shutting off all access between the guest wifi interface and the inner lan on ebtables?

Where $1 is guest interface e.g. wl0.1 and $2 is either -I or -D

/usr/sbin/ebtables -t broute $1 BROUTING -p ipv4 -i $2 -j DROP
    /usr/sbin/ebtables -t broute $1 BROUTING -p ipv6 -i $2 -j DROP
    /usr/sbin/ebtables -t broute $1 BROUTING -p arp  -i $2 -j DROP
    /usr/sbin/ebtables -t broute $1 BROUTING -p ipv4 -d XX:XX:XX:XX:XX:XX -i $2 -j ACCEPT

 

[Jack Yaz]

Anyone? Specifically I'd like to know if I need this rule for DNS resolution between a client and DNS server? Including local name resolution for the DNS server to know the hostname of the client.

/usr/sbin/ebtables -t broute $1 BROUTING -p ipv4 -d XX:XX:XX:XX:XX:XX -i $2 -j ACCEPT