Where to put iptables script to execute on boot?

[josh3003]

Hi there,

Just wondering where the best place to put the following iptables script to force my virtual redundant keepalived ip address consisting of my dual pihole setup (192.168.1.20) I run DOH but wanted to capture and redirect any port 53 traffic as well. My command is below. Just wondering where the best place under /jffs/ to place this script and make it executable. Cheers.

iptables -t nat -A PREROUTING ! -s 192.168.1.20 ! -d 192.168.1.20 -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.20
iptables -t nat -A PREROUTING ! -s 192.168.1.20 ! -d 192.168.1.20 -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.20
iptables -t nat -A PREROUTING ! -s 192.168.1.20 ! -d 192.168.1.20 -i br0 -p tcp --dport 5053 -j DNAT --to 192.168.1.20
iptables -t nat -A PREROUTING ! -s 192.168.1.20 ! -d 192.168.1.20 -i br0 -p udp --dport 5053 -j DNAT --to 192.168.1.20

 

[ColinTaylor]

NAT rules go in /jffs/scripts/nat-start

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Just wondering where the best place to put the following iptables script to force my virtual redundant keepalived ip address consisting of my dual pihole setup (192.168.1.20) I run DOH but wanted to capture and redirect any port 53 traffic as well.

Is there meant to be some punctuation in that sentence? I can't understand what you're saying.

 

[josh3003]

Is there meant to be some punctuation in there? I can't understand what you're saying.

Sorry, still waiting for the coffee & caffeine to kick in.

I have 2x Piholes on my network in a high availability cluster with keepalived
Master - 192.168.1.146
Slave - 192.168.1.98

Keepalived virtual DNS IP - 192.168.1.20

I have my router pointed to use 192.168.1.20 and when master pihole goes offline slave automatically takes over. I was running the DNSFilter option on my Asus router but was getting heaps of requests showing at the router level I do have conditional forwarding enabled. I was wondering if creating these iptable rules would benefit me in redirecting the port 53 and 5053 dns over https traffic to strictly the 192.168.1.20 address and if a device was to try and reach out it would be told and redirected to use that address and lower my requests being forwarded and redirected at the router level. If that makes better sense? Apologies.

 

[ColinTaylor]

OK, I get it now.

 

[josh3003]

OK, I get it now.

Awesome, thanks what would be the best method do you think in my case? Would iptable rules work better?

 

[ColinTaylor]

Would iptable rules work better?

Sorry, better than what?

I thought you had tested those iptables rules and were just asking how to make them persistent across reboots.

 

[josh3003]

Sorry, better than what?

Better than the DNSFilter.

I just wanted to make sure that is the correct code to use for iptables as my knowlege with them is quite limited.

 

[ColinTaylor]

Without knowing every aspect of your network setup I couldn't say whether those commands are correct for you. The subtle details of a Pi-Hole setup can get quite complicated when you start trying to implement DNSFilter-like features (and I'm not a Pi-Hole expert).

I suggest you just type them in at the command line and see if they work. If they do then you can put them in a nat-start script.

I'm a bit confused as to the purpose of the port 5053 DNAT. Presumably port 5053 is the listening port for cloudflared on the Pi-Holes? I don't see what you're trying to achieve by DNATing that port as none of your LAN clients will be using it (unless I'm missing something).

 

[josh3003]

I'm a bit confused as to the purpose of the port 5053 DNAT. Presumably port 5053 is the listening port for cloudflared on the Pi-Holes? I don't see what you're trying to archive by DNATing that port as none of your LAN clients will be using it (unless I'm missing something).

Those x2 lines quoting port 5053 was my doing, That makes complete sense as I was only copying thinking that it was an outbound port and not a listening port. You're right. I'll just cull those 2 5053 lines and report back shortly.

So I'll create a script

#!/bin/sh
iptables -t nat -A PREROUTING ! -s 192.168.1.20 ! -d 192.168.1.20 -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.20 
iptables -t nat -A PREROUTING ! -s 192.168.1.20 ! -d 192.168.1.20 -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.20

Where is the best place to save it for persisting on reboots?

 

[ColinTaylor]

Where is the best place to save it for persisting on reboots?

See post #2.

But if you're just redirecting port 53 you might as well use DNSFilter in the GUI.

 

[josh3003]

But if you're just redirecting port 53 you might as well use DNSFilter in the GUI.

Sorry - did not see that post.

Thanks, are there any other common ports or to see if devices are reaching out onto the internet on any other ports than port 53?

 

[ColinTaylor]

Thanks, are there any other common ports or to see if devices are reaching out onto the internet on any other ports than port 53?

Ports for DNS? I'm only aware of DNS=53, DoT=853 and DoH=443.

 

[josh3003]

Ports for DNS? I'm only aware of DNS=53, DoT=853 and DoH=443.

Ok well I'd like to encapsulate all of those ports, so do I need a new line for each of those ports? As I want to make sure nothings reaching out to outside dns servers if there are say hardcoded doh servers for devices etc.

 

[ColinTaylor]

I doubt any regular client is using DoT to be honest.

You can't block DoH because it uses the same port as HTTPS. This is done deliberately so that it's impossible to identify it as DNS traffic (which is why it's so controversial).

 

[josh3003]

I doubt any regular client is using DoT to be honest.

You can't block DoH because it uses the same port as HTTPS. This is done deliberately so that it's impossible to identify it as DNS traffic (which is why it's so controversial).

Ok Thanks,

About that I can implement a workaround block for DOH using a blocklist here and add it onto my PiHole lists.

I got the script location and iptables working. Is it basically identical as DNSFilter? As I was using the below query instead

#!/bin/sh
iptables -t nat -A PREROUTING -i br0 -p udp ! --source 192.168.1.20 ! --destination 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20
 
iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 192.168.1.20 ! --destination 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20

Now I am getting smashed with 'raspberrypi' queries coming from my router. I think I can fix it by instead running

#!/bin/sh
iptables -t nat -A PREROUTING -i br0 -p udp ! --source 192.168.1.0/24 ! --destination 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20
 
iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 192.168.1.0/24 ! --destination 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20

 

[ColinTaylor]

I got the script location and iptables working. Is it basically identical as DNSFilter? As I was using the below query instead

Yes, you're just recreating exactly what DNSFilter does.

 

[ColinTaylor]

For reference here are the nat rules that DNSFilter would create (A8:6B:AD:4D:3E:4A would be your Pi-Hole's MAC):

-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER

-A DNSFILTER -m mac --mac-source A8:6B:AD:4D:3E:4A -j RETURN
-A DNSFILTER -j DNAT --to-destination 192.168.1.20

And as added bonus it also blocks DoT in the filter table:

-A FORWARD -i br0 -p tcp -m tcp --dport 853 -j DNSFILTER_DOT

-A DNSFILTER_DOT -m mac --mac-source A8:6B:AD:4D:3E:4A -j RETURN
-A DNSFILTER_DOT ! -d 192.168.1.20 -j REJECT --reject-with icmp-port-unreachable

 

[josh3003]

Yes, you're just recreating exactly what DNSFilter does.

For reference here are the nat rules that DNSFilter would create (A8:6B:AD:4D:3E:4A would be your Pi-Hole's MAC):

-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER

-A DNSFILTER -m mac --mac-source A8:6B:AD:4D:3E:4A -j RETURN
-A DNSFILTER -j DNAT --to-destination 192.168.1.20

And as added bonus it also blocks DoT in the filter table:

-A FORWARD -i br0 -p tcp -m tcp --dport 853 -j DNSFILTER_DOT

-A DNSFILTER_DOT -m mac --mac-source A8:6B:AD:4D:3E:4A -j RETURN
-A DNSFILTER_DOT ! -d 192.168.1.20 -j REJECT --reject-with icmp-port-unreachable

Yeah, I just realised I had the

! --source 192.168.1.0/24

where it would need to be without the '!'

I find when I run the iptables I get the result coming from the device rather than from the router.

I also don't get that DNSFILTER_DOT section and I am on Merlin 386.2_6

 

[ColinTaylor]

I find when I run the iptables I get the result coming from the device rather than from the router.

That's to be expected unless you change your LAN DHCP setting.

I also don't get that DNSFILTER_DOT section and I am on Merlin 386.2_6

That won't be there unless you're using DNSFilter.

So at this point I don't see any point in you using a script over DNSFilter.

 

[josh3003]

That won't be there unless you're using DNSFilter.

No as in, when I switched over and removed the script and iptable rule I don't get the DOT section either.

That's to be expected unless you change your LAN DHCP setting.

I prefer to not get flooded with all of the redirected queries coming directly from the router and just keep it on a device basis so I may just stick to my original script and call it a day.