Asus AC68-u iptable rule question

[josh3003]

Hi there, I have a Pi-Hole (2x) local ones running a virtual high availability IP - 192.168.1.20

Is there a way to set up IPtable rules to force all port 53 and 853 traffic through this IP? I see many different results on reddit and my knowlege on iptables is pretty limited so just wanting to seek some clarification.

FWIW I also have spun up a new pihole instance in an always free oracle cloud tier following chadgeary github guide. Not sure if we are able to use multiple IP addresses with iptable rules and if that is a limitation I guess just having the 2x piholes on my local network will be sufficient. I was using dnsfilter option for a while but I've heard it doesn't redirect port 853 traffic so happy to disable that feature and just run iptabling. Please let me know your thoughts and I'd like to see if I can get this up and running Thanks!

 

[eibgrad]

It's easy enough to redirect traffic using DNAT firewall rules *provided* they are open protocols like Do53 (DNS over port 53). The problem w/ DoT (port 853) is that it's a *secure* protocol that guarantees the authenticity of the server to the client. IOW, you can't just take port 853 traffic intended for ip X and redirect it to ip Y, anymore than you can redirect a request intended for Amazon.com and redirect it to BestBuy.com, even though both are using port 443 (https).

iptables -t nat -I PREROUTING -p udp ! -d 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20
iptables -t nat -I PREROUTING -p tcp ! -d 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20

In order to be persistent, the above would need to be installed using a nat-start script.

 

[josh3003]

It's easy enough to redirect traffic using DNAT firewall rules *provided* they are open protocols like Do53 (DNS over port 53). The problem w/ DoT (port 853) is that it's a *secure* protocol that guarantees the authenticity of the server to the client. IOW, you can't just take port 853 traffic intended for ip X and redirect it to ip Y, anymore than you can redirect a request intended for Amazon.com and redirect it to BestBuy.com, even though both are using port 443 (https).

iptables -t nat -I PREROUTING -p udp ! -d 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20
iptables -t nat -I PREROUTING -p tcp ! -d 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20

In order to be persistent, the above would need to be installed using a nat-start script.

Ok great,
Is it possible to have another IP address in there or does it break how the traffic is redirected? As I mentioned I have a cloud based pihole as well. Otherwise is this better to use than dnsfilter?

 

[eibgrad]

Ok great,
Is it possible to have another IP address in there or does it break how the traffic is redirected? As I mentioned I have a cloud based pihole as well. Otherwise is this better to use than dnsfilter?

I'm not sure I under the distinction your making here. Another IP address?

Again, redirection will work provided we're NOT talking about secure protocols that include authentication of the server to the client. And that includes any DNS filter, since that's all it typically is; a redirection.

Essentially, it's a form of hijacking, much like your ISP might do w/ your own Do53 traffic UNLESS you use a secure protocol like DoT (port 853). Any attempt to hijack that port and have it redirected to the ISP's DNS servers will fail since the ISP can neither read the encrypted data, nor authenticate itself to the client.

But again, if you're dealing w/ unsecured, open protocols like DNS over port 53, FTP, HTTP, TELNET, etc., you can redirect them all day long to wherever you want.

 

[josh3003]

iptables -t nat -I PREROUTING -p udp ! -d 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20
iptables -t nat -I PREROUTING -p tcp ! -d 192.168.1.20 --dport 53 -j DNAT --to 192.168.1.20

Unfortunately when I did this my DNS stopped working. Not too sure what went wrong. Just gone back to using DNSFilter for time being.

 

[eibgrad]

Unfortunately when I did this my DNS stopped working. Not too sure what went wrong. Just gone back to using DNSFilter for time being.

I'm NOT sure what the problem is either. When the redirection is elsewhere on the LAN (as opposed to the router or internet), it requires NAT loopback be enabled. And as far as I know, it always is. Then I started to wonder if maybe it is only when the DNS filter feature is enabled, but that didn't appear to be a requirement when I dumped the firewall. So it remains a mystery at the moment.

But regardless, if in the end you're dealing w/ Do53, you might as well use the DNS filter feature, since that's what it was intended for anyway. There's no particular benefit from managing it w/ your own firewall rules.

 

[SomeWhereOverTheRainBow]

It's easy enough to redirect traffic using DNAT firewall rules *provided* they are open protocols like Do53 (DNS over port 53). The problem w/ DoT (port 853) is that it's a *secure* protocol that guarantees the authenticity of the server to the client. IOW, you can't just take port 853 traffic intended for ip X and redirect it to ip Y, anymore than you can redirect a request intended for Amazon.com and redirect it to BestBuy.com, even though both are using port 443 (https).

I don't know if you could say it any simpler than that. From now on when I try to redirect my request from amazon.com to bestbuy.com I am going to remember your analogy...

 

[SomeWhereOverTheRainBow]

Unfortunately when I did this my DNS stopped working. Not too sure what went wrong. Just gone back to using DNSFilter for time being.

That is because you need to take into consideration the port 53's of your high-availability clients first in the chain.


eg.

iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN
iptables -A PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN
iptables -A PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.20
iptables -A PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p udp -m udp --dport 53  -j DNAT --to-destination 192.168.1.20

you need to provide returns for all macaddresses used in your high-availability chain. i.e. you are punching a hole for just those clients out to the internet. You need to replace the XX:XX:XX:XX:XX:XX with the correct mac addresses for all clients used in highavailability chain for both tcp and udp. If you use -I you need to put your return chains in reverse order, if you use -A, then you will be appending and the order i listed above would be correct.

 

[SomeWhereOverTheRainBow]

so if you had two or three piholes running in high availability your chains may look something like this. Remember order is key.

iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN # RPI1
iptables -A PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN
iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN # RPI2
iptables -A PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN
iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ  -j RETURN # RPI3
iptables -A PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ  -j RETURN
iptables -A PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.20
iptables -A PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p udp -m udp --dport 53  -j DNAT --to-destination 192.168.1.20

 

[josh3003]

If you use -I you need to put your return chains in reverse order, if you use -A, then you will be appending and the order i listed above would be correct.

How do I find out if it is -l or -a? Not too sure but yes I have 2x RPI's running so happy to use the example below but let's figure that out first as that sounds and makes sense to me as they both share the high availability virtual ip of 192.168.1.20 so I can get the mac addresses for each device to punch a hole for them.

 

[SomeWhereOverTheRainBow]

How do I find out if it is -l or -a? Not too sure but yes I have 2x RPI's running so happy to use the example below but let's figure that out first as that sounds and makes sense to me as they both share the high availability virtual ip of 192.168.1.20 so I can get the mac addresses for each device to punch a hole for them.

iptables -A versus iptables -I

 

[SomeWhereOverTheRainBow]

eg. if you use -I (-I puts the next chain at the top of the list so a reverse order is necessary)

iptables -I PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.20
iptables -I PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p udp -m udp --dport 53  -j DNAT --to-destination 192.168.1.20
iptables -I PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN # RPI1
iptables -I PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN
iptables -I PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN # RPI2
iptables -I PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN
iptables -I PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ  -j RETURN # RPI3
iptables -I PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ  -j RETURN

if you use -A (-A appends to the bottom of the list so chains should flow normal order)

iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN # RPI1
iptables -A PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN
iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN # RPI2
iptables -A PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN
iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ  -j RETURN # RPI3
iptables -A PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ  -j RETURN
iptables -A PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.20
iptables -A PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p udp -m udp --dport 53  -j DNAT --to-destination 192.168.1.20

 

[josh3003]

iptables -A versus iptables -I

Never used iptable rules before is it a preference thing? Is there a way to see?

iptables -s

Shows me a heap of -A ones so assuming that's what my router uses??

 

[SomeWhereOverTheRainBow]

You need to determine the mac addresses for your return chains- i.e. the piholes you don't want to break the DNS on.

 

[SomeWhereOverTheRainBow]

your script uses -I so stick with that.

iptables -I PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.20
iptables -I PREROUTING ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p udp -m udp --dport 53  -j DNAT --to-destination 192.168.1.20
iptables -I PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN # RPI1
iptables -I PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN
iptables -I PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN # RPI2
iptables -I PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN
iptables -I PREROUTING -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ  -j RETURN # RPI3
iptables -I PREROUTING -i br0 -p udp -m udp --dport 53 -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ  -j RETURN

once you determine the mac addresses of your piholes that service your DNS, then fill in the blanks (i.e. XX:XX:XX:XX:XX:XX, or YY:YY:YY:YY:YY:YY, etc.) and viola you have your correct setup.

 

[josh3003]

your script uses -I so stick with that.
Code:

I deleted the script so I wasn't using either. So just use the -I example you put above and put both mac addresses for each primary and secondary pihole for # 1 and # 2?

 

[SomeWhereOverTheRainBow]

I deleted the script so I wasn't using either. So just use the -I example you put above and put both mac addresses for each primary and secondary pihole for # 1 and # 2?

correct, skip the #3 one since you are only using #1 and #2.

Just to simplify, consider this in your nat-start script.

iptables -D PREROUTING -t nat ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.20 2>/dev/null
iptables -D PREROUTING -t nat ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.20 2>/dev/null
iptables -D PREROUTING -t nat -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN 2>/dev/null
iptables -D PREROUTING -t nat -i br0 -p udp -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN 2>/dev/null
iptables -D PREROUTING -t nat -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN 2>/dev/null
iptables -D PREROUTING -t nat -i br0 -p udp -m udp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN 2>/dev/null
iptables -I PREROUTING -t nat ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.20
iptables -I PREROUTING -t nat ! -s 192.168.1.20/32 ! -d 192.168.1.20/32 -i br0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.20
iptables -I PREROUTING -t nat -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN
iptables -I PREROUTING -t nat -i br0 -p udp -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX  -j RETURN
iptables -I PREROUTING -t nat -i br0 -p tcp -m tcp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN
iptables -I PREROUTING -t nat -i br0 -p udp -m udp --dport 53 -m mac --mac-source YY:YY:YY:YY:YY:YY  -j RETURN

The first set of rules will delete the chains incase your nat-start script is somehow invoked more than once. I have not clue how many times the script gets invoked so it is always a good practice to prevent duplicate chains.

 

[josh3003]

Just to simplify, consider this in your nat-start script.

Too easy, I use it in the firewall-start script assume either one works? I'll try this one shortly when I get a chance. Thanks.

 

[SomeWhereOverTheRainBow]

Too easy, I use it in the firewall-start script assume either one works? I'll try this one shortly when I get a chance. Thanks.

no problem, definitely include the deletes if you are considering firewall-start since that definitely will be invoked more than once.

 

[josh3003]

no problem, definitely include the deletes if you are considering firewall-start since that definitely will be invoked more than once.

Awesome, I think this is a bit better then using dnsfilter. Maybe it works the same but I feel anything obviously is hardcoded to be force redirected. So primary rpi will be XX:XX mac and secondary rpi will be YY:YY mac? just double checking