Total newb; completely lost - IPTables and DNSMasq

[Malaromane]

I apologise for signing up and immediately asking completely newb questions but I've been searching through the forum and the wiki on my own but I'm just completely lost.

I've just upgraded my router from a Netgear R7000 running DD-WRT to an ASUS RT-AC86U. Straight out of the box, I upgraded it to the latest ASUS firmware and then subsequently upgraded it to the 384.5 ASUSWRT-Merlin build before doing any configuration.

I've got pretty much everything configured and working well and I've enabled jffs and also ssh access to the router. But there are still two things that I just can't seem to figure out how to do correctly:

1. Add a rule to the DNSMasq configuration:
I need to add a rule along the lines of:
address=/domain.name.net/111.222.333.444

I've created a file named dnsmasq.conf.add in the /jffs/configs directory on the router with the above line in it (and nothing else) and rebooted the router but the rule doesn't seem to be taking effect (when I do an NSLOOKUP for the specified address, it's not returning the IP address I'd expect. I've ensured that I do a /flushdns and a /renew on the PC I'm testing with each time.

2. Create a firewall iptables rule:
On my DD-WRT router, I've got two commands entered into the Firewall section on the Commands tab similar to:
iptables -t nat -I PREROUTING --destination <ip> -j DNAT --to <alternate IP>

I cannot for the life of me figure out where I'm supposed to do this in Asuswrt-Merlin or, if on the command line, what file I should be putting it into.

Could some kind soul put me out of my misery?

 

[ColinTaylor]

Welcome @Malaromane

1. Looks like you've done everything correctly. You can check whether your line has been appended by logging into the router and issuing the following command:

cat /etc/dnsmasq.conf

If it's not there try issuing the following commands and looking again:

dos2unix /jffs/configs/dnsmasq.conf.add
chmod 777 /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

2. To add or insert rules into the nat table you need to create a user script called /jffs/scripts/nat-start as below:

#!/bin/sh
iptables -t nat -I PREROUTING --destination <ip> -j DNAT --to <alternate IP>

Remember to make it executable with chmod 755

But this looks like you might just be port forwarding? You can do that in the GUI at WAN > Virtual Server / Port Forwarding

 

[ColinTaylor]

And of course you have to enable "JFFS custom scripts and configs" in Administration > System.

 

[Malaromane]

Thank you very much for the welcome and especially for your help @ColinTaylor .

When I

cat /etc/dnsmasq.conf

I do, indeed, see my entry at the bottom of the list of settings. But it doesn't seem to work. But at least I know that I've got the information in the right place. I just need to play around a bit more, I guess.

Welcome @Malaromane
2. To add or insert rules into the nat table you need to create a user script called /jffs/scripts/nat-start as below:

#!/bin/sh
iptables -t nat -I PREROUTING --destination <ip> -j DNAT --to <alternate IP>

Remember to make it executable with chmod 755

But this looks like you might just be port forwarding? You can do that in the GUI at WAN > Virtual Server / Port Forwarding

Thank you for the instructions. Very much appreciated. I think that worked for me.

I use a Dynamic DNS service so I'm using the iptables entry to capture hard-coded calls to 8.8.8.8 and 8.8.4.4 and redirecting them to the Unlocator DNS servers (185.37.37.37). The WAN > Virtual Server/Port Forwarding page looked to me like it was for redirecting incoming connections -- but I've already admitted that I don't know what I'm doing! .

 

[ColinTaylor]

I use a Dynamic DNS service so I'm using the iptables entry to capture hard-coded calls to 8.8.8.8 and 8.8.4.4 and redirecting them to the Unlocator DNS servers (185.37.37.37). The WAN > Virtual Server/Port Forwarding page looked to me like it was for redirecting incoming connections -- but I've already admitted that I don't know what I'm doing! .

Yes, Virtual Server/Port Forwarding is for incoming connections. But there is another menu option that will do the same thing as your iptables rule, DNS Filtering. With DNS Filtering you can select which devices are forced to go to a desired DNS server. So for example, you could make a Roku box use 185.37.37.37 but everything else uses the router's built-in DNS.

 

[Malaromane]

Yes, Virtual Server/Port Forwarding is for incoming connections. But there is another menu option that will do the same thing as your iptables rule, DNS Filtering. With DNS Filtering you can select which devices are forced to go to a desired DNS server. So for example, you could make a Roku box use 185.37.37.37 but everything else uses the router's built-in DNS.

Thank you! I'd been looking for that for hours before giving up. Even after you gave me the actual menu to look for, it took me longer than I'd care to admit to figure out that it was "buried" on the AiProtection page.

 

[Malaromane]

OK. One more round of questions if I may:

If I set the Global Filter Mode to "Router" does that mean that every device on my network will redirect all DNS lookups to the DNS host(s) configured on my router unless they are listed separately on the Client list?

Does this only affect DNS lookups or will this also intercept traffic that address an IP directly (i.e. if an app on my Roku box makes a direct call to 8.8.8.8, will it be redirected to my router's DNS servers?

 

[ColinTaylor]

If I set the Global Filter Mode to "Router" does that mean that every device on my network will redirect all DNS lookups to the DNS host(s) configured on my router unless they are listed separately on the Client list?

No quite. It forces all devices not explicitly listed to use the router's own built-in DNS server (dnsmasq). This server will then forward any requests it can't resolve upstream to the servers defined on the WAN page.

Does this only affect DNS lookups or will this also intercept traffic that address an IP directly (i.e. if an app on my Roku box makes a direct call to 8.8.8.8, will it be redirected to my router's DNS servers?

It only intercepts DNS requests.

 

[martinr]

No quite. It forces all devices not explicitly listed to use the router's own built-in DNS server (dnsmasq). This server will then forward any requests it can't resolve upstream to the servers defined on the WAN page.

It only intercepts DNS requests.

Colin, you just reminded me of something I’d meant to try and forgot. I have facebook and twitter blocked via AB-Solution, but I see that if I go to the wireless adapter settings on my iPhone, and change the DNS server setting from automatic to manual and set the DNS server to, say, 8.8.8.8, then these sites are accessible. So this appears to show that an individual device can simply bypass the router’s DNS configuration by setting the interface settings to a manual external DNS address. Is that correct?

 

[Jack Yaz]

Colin, you just reminded me of something I’d meant to try and forgot. I have facebook and twitter blocked via AB-Solution, but I see that if I go to the wireless adapter settings on my iPhone, and change the DNS server setting from automatic to manual and set the DNS server to, say, 8.8.8.8, then these sites are accessible. So this appears to show that an individual device can simply bypass the router’s DNS configuration by setting the interface settings to a manual external DNS address. Is that correct?

That's exactly what DNS filter is designed to prevent, it will intercept and force them to the sever you have set.

 

[martinr]

That's exactly what DNS filter is designed to prevent, it will intercept and force them to the sever you have set.

D’uh! Thanks Jack. I’d turned
The DNS filter off when I switched from a Raspberry Pi DNS blocking setup to AB-Solution . It’s now back on and working and intercepting all DNS requests, as Colin said, regardless of individual interface settings.

Many thanks for that.

 

[Malaromane]

I just wanted to come back and once again thank @ColinTaylor for the informative and helpful responses to my dumb questions. I think I've got my new Asus router up and configured properly as I transition from DD-WRT to the world of ASUSWRT-Merlin.

Next step: installing and configuring AB-Solution and possibly Skynet. Baby steps.