SBS. Script for using sing-box on Asus routers with Merlin firmware.

[ZebMcKayhan]

I did it. To install and configure sing-box, simply run this command in the router console:

wget -O /jffs/scripts/sing-box_script-install https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sing-box_script-install && chmod 775 /jffs/scripts/sing-box_script-install && /jffs/scripts/sing-box_script-install

Please read the attached readme file first.

Great job! And thanks for sharing!

I saw that you managed to work around the deletion of routes when exiting the shell by letting the router system start it. Perhaps the up/down of the interface during shell exit is something you could feedback to whoever wrote this sing-box application?

 

[Kyjiep]

Great job! And thanks for sharing!

I saw that you managed to work around the deletion of routes when exiting the shell by letting the router system start it. Perhaps the up/down of the interface during shell exit is something you could feedback to whoever wrote this sing-box application?

I didn't understand what I was able to get around that could be reported to the sing-box developer. I think that the sing-box developer is not interested in such things in principle. He has created and is developing an excellent application for many platforms. I, with the help of chatGPT, just wrote a script that allows us to use its huge potential on our routers with Merlin firmware. There are only a couple of minor flaws in this script that perhaps real programmers can fix.

 

[Kyjiep]

Fresh and serious update of my script for download, install, configure and run sing-box with tun interface on Asus routers with Merlin firmware.
To install the script, run this command on the router command line

wget -O /jffs/scripts/sb-script-install https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sb-script-install && chmod 775 /jffs/scripts/sb-script-install && /jffs/scripts/sb-script-install

This command no longer works because the files for this version of the script have been removed.

Spoiler: Updated 07/11/2024. Version v0.5

1. The list of device IP addresses, the routing table number, and the TUN interface name have been moved to a separate configuration file- script-conf.
2. Changes in the code due to the relocation of the script to the /jffs/addons/sing-box directory.
3. The script can now be started with the command sbs -when executed without additional parameters, a list of supported parameters and their brief descriptions will be displayed.
4. New script launch parameters have been added:
edit -to edit the config.json file using the nano editor,
remove -after a single confirmation request, stops all script processes, rolls back changes made to system scripts, and performs a complete removal of all script files and directories.
5. Now, after starting the script in the console, you do not need to restart the router, script will continue to work correctly after closing the console.
6. Many optimizations.
7. The script has become more user-friendly.

To migrate to the new version from the previous one:
It is best to completely delete the old version after stopping the script. Pre-save the config.json file located in the /opt/root/sing-box directory, and later you can place it in the /jffs/addons/sing-box directory after installing the new version.
Then, just in case, check the file /jffs/scripts/firewall-start —if there are entries created by the script like these:

iptables -I FORWARD -i sbtun -j ACCEPT
iptables -I FORWARD -o sbtun -j ACCEPT
iptables -I INPUT -i sbtun -j ACCEPT
iptables -I OUTPUT -o sbtun -j ACCEPT

remove them, though you might have a different TUN interface name instead of sbtun.
Next, check the file /jffs/scripts/services-start —if there are entries created by the script like these:

sleep 30
/mnt/entware/entware/sing-box/sing-box-script-ru start

remove them.
Then restart the router.
The new version is installed from the router's console with the following command:

wget -O /jffs/scripts/sb-script-install https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sb-script-install && chmod 775 /jffs/scripts/sb-script-install && /jffs/scripts/sb-script-install

 

[Kyjiep]

SBS (sing-box-script) update again.
To install the script, run this command on the router command line

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

Spoiler: Updated 07/17/2024. Version v0.6

1. Added automatic restoration of IP rules for the script's routing table after system events that cause their deletion. For example, such an event is triggered by clicking the "Apply" button in the "WAN" section of the router's web interface.
2. Changed script file names and directories.
3. The installer and main script have been combined into one script.
4. Editing config.json in the nano editor is now moved to the command

sbs setup

5. The command

sbs edit

now edits the sbs-conf settings file in the nano editor.
6. Added command

sbs update

for updating the main script file, monitor script, and sing-box core. This command will allow us to avoid manual migration to new versions in the future. It will be enough to simply execute this command in the router console.
7. Fixes for errors and bugs found in the previous version.

To migrate from version 0.5 to version 0.6:
Save your config.json file located in the /jffs/addons/sing-box directory somewhere (it will be deleted, as well as the /opt/root/sing-box directory).
Remove version 0.5 using the command in the router console

sbs remove

Install version 0.6 by running the following command in the router console

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

Place your previously saved config.json file in the /jffs/addons/sing-box-script directory, replacing the config.json template located there.
Configure the script using the command in the router console

sbs setup

 

[Kyjiep]

In general, in the sing-box configuration file (config.json), in a special section, you can specify DNS servers and rules for them. But, for some reason, they are ignored on my router. As a result, all DNS requests from devices, whose traffic is directed through the sing-box tun interface, always go to the DNS server, specified in the router settings. I suspect, that this happens on all similar routers. Therefore, I did not include a section for DNS settings in my sing-box configuration file. But, in principle, for me personally, this does not matter. But, just for science's sake, it would be nice to know a way to fix this.

 

[ZebMcKayhan]

But, just for science's sake, it would be nice to know a way to fix this.

Usually router itself uses "exclusive" mode, which means dns redirection via firewall rules. It could look something like this:

 #create new chain and flush it
iptables -t nat -N SINGBOXDNS
iptables -t nat -F SINGBOXDNS 2>/dev/null

#create record for dns to jump to this chain:
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j SINGBOXDNS
iptables -t nat -I PREROUTING -p udp -m tcp --dport 53 -j SINGBOXDNS

#setup source ip rules for redirect dns:
iptables -t nat -A SINGBOXDNS -s 192.168.50.45 -j DNAT --to-destination 8.8.8.8
iptables -t nat -A SINGBOXDNS -s 192.168.50.102 -j DNAT --to-destination 8.8.8.8

(Hope I got this right)
Replace 192.168.50.45 and 192.168.50.102 with your source ip that uses singbox
Replace 8.8.8.8 with DNS ip you wish SIngbox clients to use.

Everything needs to go into nat-start to reapply on different events that make router flush nat rules.

 

[Kyjiep]

Usually router itself uses "exclusive" mode, which means dns redirection via firewall rules. It could look something like this:

 #create new chain and flush it
iptables -t nat -N SINGBOXDNS
iptables -t nat -F SINGBOXDNS 2>/dev/null

#create record for dns to jump to this chain:
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j SINGBOXDNS
iptables -t nat -I PREROUTING -p udp -m tcp --dport 53 -j SINGBOXDNS

#setup source ip rules for redirect dns:
iptables -t nat -A SINGBOXDNS -s 192.168.50.45 -j DNAT --to-destination 8.8.8.8
iptables -t nat -A SINGBOXDNS -s 192.168.50.102 -j DNAT --to-destination 8.8.8.8

(Hope I got this right)
Replace 192.168.50.45 with your source ip that uses singbox
Replace 8.8.8.8 with DNS ip you wish SIngbox clients to use.

Everything needs to go into nat-start to reapply on different events that make router flush nat rules.

You probably haven't used sing-box on other platforms where it is fully supported without any extra manipulations with the system. Here is a sample configuration file that works fully on Android, iOS, Windows and Ubuntu server. In this configuration file, there is a DNS settings section at the beginning. In it, I can set different DNS resolvers for different domains, different inbounds, different clash mods, and with different Wi-Fi SSIDs I can make different rules.

{
  "log": {
    "level": "error",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "dns-google",
        "address": "8.8.8.8",
        "strategy": "ipv4_only"
      },
      {
        "tag": "dns-quad9",
        "address": "9.9.9.9"
      }
    ],
    "rules": [
      {
        "outbound": "any",
        "server": "dns-quad9"
      },
      {
        "clash_mode": "Global",
        "server": "dns-quad9"
      },
      {
        "clash_mode": "Direct",
        "server": "dns-google"
      },
      {
        "rule_set": "my_domains",
        "server": "dns-quad9"
      },
      {
        "inbound": "mixed-in-global",
        "server": "dns-quad9"
      }
    ],
    "independent_cache": true
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "sbtun",
      "mtu": 1492,
      "inet4_address": "172.19.0.1/28",
      "auto_route": false,
      "endpoint_independent_nat": true,
      "stack": "mixed",
      "sniff": true
    },
    {
      "type": "mixed",
      "tag": "mixed-in-rule",
      "listen": "0.0.0.0",
      "listen_port": 2080,
      "sniff": true
    },
    {
      "type": "mixed",
      "tag": "mixed-in-global",
      "listen": "0.0.0.0",
      "listen_port": 2081,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "selector",
      "tag": "Proxy",
      "outbounds": [
        "1. VLESS-AEZA",
        "2. WG-AEZA"
      ],
      "interrupt_exist_connections": true
    },
    {
      "type": "vless",
      "tag": "1. VLESS-AEZA",
      "server": "XX.XX.XX.XX",
      "server_port": 443,
      "uuid": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "discord.com",
        "utls": {
          "enabled": true,
          "fingerprint": "chrome"
        },
        "reality": {
          "enabled": true,
          "public_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
          "short_id": "XXXXXXXXX"
        }
      }
    },
    {
      "type": "wireguard",
      "tag": "2. WG-AEZA",
      "local_address": "10.73.105.11/32",
      "private_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=",
      "server": "XX.XX.XX.XX",
      "server_port": XXXX,
      "peer_public_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=",
      "pre_shared_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=",
      "mtu": 1376
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns-out"
      },
      {
        "clash_mode": "Global",
        "outbound": "Proxy"
      },
      {
        "clash_mode": "Direct",
        "outbound": "direct"
      },
      {
        "ip_cidr": "31.131.253.250",
        "rule_set": "my_domains",
        "outbound": "Proxy"
      },
      {
        "inbound": "mixed-in-global",
        "outbound": "Proxy"
      }
    ],
    "rule_set": [
      {
        "type": "remote",
        "tag": "my_domains",
        "format": "binary",
        "url": "https://github.com/Dr4tez/my_domains/raw/main/my_domains.srs"
      }
  ],
    "auto_detect_interface": true
  },
  "experimental": {
      "cache_file": {
          "enabled": true,
          "path": "/opt/root/sing-box/cache.db"
      },
      "clash_api": {
          "external_controller": "0.0.0.0:9090",
          "external_ui": "/opt/root/sing-box/ui",
          "secret": "3194"
      }
  }
}

And it all works as it should and without problems. But not on the router. It seems that DNS requests simply do not reach the tun interface.
Here is the sample I use in the router, because the dns settings in the sing-box config file are simply ignored.

{
  "log": {
    "level": "error",
    "timestamp": true
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "sbtun",
      "mtu": 1492,
      "inet4_address": "172.19.0.1/28",
      "auto_route": false,
      "endpoint_independent_nat": true,
      "stack": "mixed",
      "sniff": true
    },
    {
      "type": "mixed",
      "tag": "mixed-in-rule",
      "listen": "0.0.0.0",
      "listen_port": 2080,
      "sniff": true
    },
    {
      "type": "mixed",
      "tag": "mixed-in-global",
      "listen": "0.0.0.0",
      "listen_port": 2081,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "selector",
      "tag": "Proxy",
      "outbounds": [
        "1. VLESS-AEZA",
        "2. WG-AEZA"
      ],
      "interrupt_exist_connections": true
    },
    {
      "type": "vless",
      "tag": "1. VLESS-AEZA",
      "server": "XX.XX.XX.XX",
      "server_port": 443,
      "uuid": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "discord.com",
        "utls": {
          "enabled": true,
          "fingerprint": "chrome"
        },
        "reality": {
          "enabled": true,
          "public_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
          "short_id": "XXXXXXXXX"
        }
      }
    },
    {
      "type": "wireguard",
      "tag": "2. WG-AEZA",
      "local_address": "10.73.105.11/32",
      "private_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=",
      "server": "XX.XX.XX.XX",
      "server_port": XXXX,
      "peer_public_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=",
      "pre_shared_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=",
      "mtu": 1376
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns-out"
      },
      {
        "clash_mode": "Global",
        "outbound": "Proxy"
      },
      {
        "clash_mode": "Direct",
        "outbound": "direct"
      },
      {
        "ip_cidr": "31.131.253.250",
        "rule_set": "my_domains",
        "outbound": "Proxy"
      },
      {
        "inbound": "mixed-in-global",
        "outbound": "Proxy"
      }
    ],
    "rule_set": [
      {
        "type": "remote",
        "tag": "my_domains",
        "format": "binary",
        "url": "https://github.com/Dr4tez/my_domains/raw/main/my_domains.srs"
      }
  ],
    "auto_detect_interface": true
  },
  "experimental": {
      "cache_file": {
          "enabled": true,
          "path": "/opt/root/sing-box/cache.db"
      },
      "clash_api": {
          "external_controller": "0.0.0.0:9090",
          "external_ui": "/opt/root/sing-box/ui",
          "secret": "3194"
      }
  }
}

 

[ZebMcKayhan]

You probably haven't used sing-box on other platforms where it is fully supported without any extra manipulations with the system.

You are right, I haven't. Just trying to help. A router is abit different since it serves many devices and various systems are put in to prevent dnsleaks. Things any single device don't have to care about.

Dnsdirector might prevent dns requests from being forwarded which may be a problem for you if you have set global redirection to router.

 

[Kyjiep]

You are right, I haven't. Just trying to help. A router is abit different since it serves many devices and various systems are put in to prevent dnsleaks. Things any single device don't have to care about.

Dnsdirector might prevent dns requests from being forwarded which may be a problem for you if you have set global redirection to router.

I'm grateful for your help. DNS director is disabled on the router. Probably something at the system level is interfering here. The question is whether it is possible to bypass this. If possible, how. Here I need the help of someone who knows the capabilities and limitations of the router firmware and, perhaps, has encountered a similar issue himself. Maybe everything is simple here, or maybe it’s impossible, I’m not strong in such matters. And ChatGPT cannot help me in this matter, I tried its suggestions. This question is too specific.
It’s a pity that no one here is interested in using sing-box capabilities on Asus routers. This tool has recently become popular in countries with severe Internet censorship. Some of my friends enjoy using my script. They can also create configuration files for sing-box, but they don’t understand the specifics of their use in routers at all, almost like me.

 

[ZebMcKayhan]

The question is whether it is possible to bypass this.

Most certainly.

What dns are your router telling your clients to use (LAN -> DHCP page)? Are you pushing router ip as dns to clients via dhcp? How are you testing this? Can you send dns requests to arbitrary dns from your client?

DNS director is disabled on the router.

You could always enable it and setup custom dns to whatever dns ip (like 8.8.8.8) interface and setup a rule for the device is using singbox. It would let the dns request be forwarded instead of executed.

Singbox cannot recieve dns requests on the router, dnsmasq is already hogging port 53. But using dnsdirector will allow the dnsrequest to be forwarded instead and since you have ip rule that this source address should use singbox, it will be forwarded via singbox.

I'm not sure whether singbox will just slip this request forward to its destination or if it will intercept it and process it itself.

 

[Kyjiep]

What dns are your router telling your clients to use (LAN -> DHCP page)? Are you pushing router ip as dns to clients via dhcp? How are you testing this? Can you send dns requests to arbitrary dns from your client?

All clients are assigned DNS via the router's dhcp. This is the IP address of the home Linux server with Adguard Home installed on it. For the router itself, the DNS server is the same Adguard Home. On it, I record DNS requests from each client separately, and that's how I find out that the requests go through it, and not directly to the public DNS servers specified in the sing-box configuration file. Well, I also check with dnsleaktest. Of course, if i can specify other DNS servers in the client settings, and if i specify them, then the requests go through them, and not through adguard home.

You could always enable it and setup custom dns to whatever dns ip (like 8.8.8.8) interface and setup a rule for the device is using singbox. It would let the dns request be forwarded instead of executed.

In the dns director i can only assign a specific ip address of the dns server to a specific mac address of the device. This is too thick. Well, I tried to assign the ip address of the tun interface as a dns server to certain clients, and all the same, dns requests for them are processed in Adguard Home.

 

[ZebMcKayhan]

Well, I tried to assign the ip address of the tun interface as a dns server to certain clients, and all the same, dns requests for them are processed in Adguard Home.

As I said, there can only be one instance on the router listening to port 53 (dns). I don't know how AGH does this, it may use a different port and have dnsmasq forward to this port (like Unbound)or it may also be that AGH disables dnsmasq dns and listens to port 53 itself.
Anyhow, if you want singbox to recieve dns requests it's just not possible on the router, via gui.
Even via ssh it's tricky, since it's all or nothing (as far as I know). You probably wouldnt want sigbox to handle all router dns request, your best chance may be to reconfigure singbox to use dns on a different port. Then you could either use firewall rules to redirect certain source ip dns requests to this port (similar to my suggestions above) or you may setup AGH to forward to router on this port.

 

[Kyjiep]

your best chance may be to reconfigure singbox to use dns on a different port. Then you could either use firewall rules to redirect certain source ip dns requests to this port (similar to my suggestions above)

I haven't tried setting up a sing-box to accept DNS requests on a different port, but it seems possible. Can you show me the commands to create the necessary firewall rules? Redirecting requests from Adguard Home may not suit everyone, many simply do not use this tool.

 

[ZebMcKayhan]

Can you show me the commands to create the necessary firewall rules?

It's the same, you just add the port to translate to:

 #create new chain and flush it
iptables -t nat -N SINGBOXDNS
iptables -t nat -F SINGBOXDNS 2>/dev/null

#create record for dns to jump to this chain:
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j SINGBOXDNS
iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j SINGBOXDNS

#setup source ip rules for redirect dns:
iptables -t nat -A SINGBOXDNS -s 192.168.50.45 -j DNAT --to-destination <singbox_tun_ip>:portnr
iptables -t nat -A SINGBOXDNS -s 192.168.50.102 -j DNAT --to-destination <singbox_tun_ip>:portnr
#more rules from different source ips could be added here.

 

[Kyjiep]

It's the same, you just add the port to translate to:

 #create new chain and flush it
iptables -t nat -N SINGBOXDNS
iptables -t nat -F SINGBOXDNS 2>/dev/null

#create record for dns to jump to this chain:
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j SINGBOXDNS
iptables -t nat -I PREROUTING -p udp -m tcp --dport 53 -j SINGBOXDNS

#setup source ip rules for redirect dns:
iptables -t nat -A SINGBOXDNS -s 192.168.50.45 -j DNAT --to-destination <singbox_tun_ip>:portnr
iptables -t nat -A SINGBOXDNS -s 192.168.50.102 -j DNAT --to-destination <singbox_tun_ip>:portnr
#more rules from different source ips could be added here.

I don't understand what is meant by SINGBOXDNS?

<singbox_tun_ip>:portnr

- will it look like 172.19.0.1:5553? 172.19.0.1 is the inet4_address of the tun interface, specified in the sing-box configuration file. 5553 is the port for receiving DNS requests?

 

[ZebMcKayhan]

I don't understand what is meant by SINGBOXDNS?

It's the name of the new firewall chain we are creating. It's more convenient to create a new chain (rule list) and have all udp and tcp port 53 to be sent to this new chain. Then simpler rules could be made in this chain since we know only dns requests come here.
If we didn't do it like this, we would have to make 2 more complicated rules for each source ip entry. Like:

iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -s 192.168.50.102 -j DNAT --to-destination <singbox_tun_ip>:portnr
iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -s 192.168.50.102 -j DNAT --to-destination <singbox_tun_ip>:portnr

but any would work.

172.19.0.1:5553

Yep, looks right.

 

[ZebMcKayhan]

@Kyjiep please note I updated the rules as I found a typo (I wonder if copy-paste really saved anyone some time, really).

 

[Kyjiep]

@Kyjiep please note I updated the rules as I found a typo (I wonder if copy-paste really saved anyone some time, really).

Thank you. I haven't tried it yet. When I have time, I'll definitely try it and let you know the result.

 

[Kyjiep]

your best chance may be to reconfigure singbox to use dns on a different port. Then you could either use firewall rules to redirect certain source ip dns requests to this port (similar to my suggestions above) or you may setup AGH to forward to router on this port.

Great idea. This trick worked with Adguard Home. I'll try with iptables.

 

[Kyjiep]

It's the same, you just add the port to translate to:

 #create new chain and flush it
iptables -t nat -N SINGBOXDNS
iptables -t nat -F SINGBOXDNS 2>/dev/null

#create record for dns to jump to this chain:
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j SINGBOXDNS
iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j SINGBOXDNS

#setup source ip rules for redirect dns:
iptables -t nat -A SINGBOXDNS -s 192.168.50.45 -j DNAT --to-destination <singbox_tun_ip>:portnr
iptables -t nat -A SINGBOXDNS -s 192.168.50.102 -j DNAT --to-destination <singbox_tun_ip>:portnr
#more rules from different source ips could be added here.

But with iptables this number does not work. DNS requests after executing the commands you have given go to Adguard Home.
For me these were commands for ip 192.168.50.33. In the last two I had to specify tcp and udp, because without this the command line complained about their absence.

iptables -t nat -N SINGBOXDNS
iptables -t nat -F SINGBOXDNS 2>/dev/null


iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j SINGBOXDNS
iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j SINGBOXDNS


iptables -t nat -A SINGBOXDNS -s 192.168.50.33 -p tcp -j DNAT --to-destination 172.19.0.1:5553
iptables -t nat -A SINGBOXDNS -s 192.168.50.33 -p udp -j DNAT --to-destination 172.19.0.1:5553

Could it be that dnsmasq is intercepting traffic on port 53 before it is processed by iptables?