Menu
What's new
By:
Filters Better Search

Where to put iptables script to execute on boot?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wait so even running DNSFilter with the piholes set to no filtering & if I set global filter mode to router if I manually change my dns in windows I still leak google dns when I run a test using 8.8.8.8. Now I've confused myself.
 
josh3003 said:
No as in, when I switched over and removed the script and iptable rule I don't get the DOT section either.
Click to expand...
Strange. Were you looking in the filter table, not the nat table?

I prefer to not get flooded with all of the redirected queries coming directly from the router and just keep it on a device basis so I may just stick to my original script and call it a day.
Click to expand...
I can't see how your script would change that. But as I said earlier there are lots of subtle nuances with DNS and I don't know all your settings.
 
josh3003 said:
Wait so even running DNSFilter with the piholes set to no filtering & if I set global filter mode to router...
Click to expand...
Why are you doing that? Global filter should be pointing to the Pi (or you need to set the LAN DHCP setting for the Pi - which is what you want to do anyway).
 
ColinTaylor said:
Why are you doing that? Global filter should be pointing to the Pi (or you need to set the LAN DHCP setting for the Pi).
Click to expand...
So what are you suggesting? Set it to Custom 1 and have pihole ip address there?

1626531288473.png
 
Yes confirmed I can see the DOT in the filter table. Also found this in my chain forward policy. Should this deleted somehow???

Code: 
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
 
josh3003 said:
Yes confirmed I can see the DOT in the filter table. Also found this in my chain forward policy. Should this deleted somehow???

Code: 
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
ACCEPT     all  --  192.168.1.0/24       dns.google
Click to expand...
Sorry, I don't recognise that.
 
Use iptables -t filter -L -v to show the complete information. That might give you a clue.
 
josh3003 said:
Use the Pi as DHCP server?
Click to expand...
No, I was talking about the DNS Server 1 setting.

I got it currently on the router and pointing to pihole dns on my LAN page.
Click to expand...
OK, that's what I meant. BTW there's no point specifying the same address for server 1 and server 2, you can leave server 2 blank. Also, is your Pi-hole actually a WINS server?
 
I'm not sure.. I get the same result using 'iptables -t filter -L -v' maybe I might delete them after I look into it more.

No it's not a wins server so I can delete that and the second server column.
 
I recall reading that some Google devices will fill DNS 2 in locally with 8.8.8.8, so some people put the Pi-Hole IP twice to fake it out.

Are there different interfaces on those dns.google entries if you run iptables -S FORWARD
 
Yes yes my mistake. I had 3x entries each for 8.8.8.8 and 8.8.4.4 in routes to block any requests to google dns.

Ok so I have configured DNSFilter as per discussion with ColinTaylor and have re-added the secondary dns server with pihole details just as a failsafe even though DNSFilter should catch any redirects.

I understand now I am seeing any queries trying to bypass the pihole come through as from being requested by the router. There is no way around this is there to tell it to come from the device and not the router? It would be good to know offending device/s but as it comes from the router I am none the wiser but happy to know that all traffic is going through it now.
 
josh3003 said:
I understand now I am seeing any queries trying to bypass the pihole come through as from being requested by the router. There is no way around this is there to tell it to come from the device and not the router? It would be good to know offending device/s but as it comes from the router I am none the wiser but happy to know that all traffic is going through it now.
Click to expand...
There is a Rube Goldberg setup documented by some rube in this post that might be what you’re looking for.
www.snbforums.com

Merlin, dnsmasq, Pi-hole Accurate Device Names How-To?

I have an RT-AX86U running 386.1 beta 2 and while it is working well, I find that many ads are being served to devices, especially mobile phones. I have tried various suggestions for solving this and the DNSFilter option to force all DNS traffic to my Pi-hole works the best. Unfortunately, it...
www.snbforums.com www.snbforums.com
 
dave14305 said:
There is a Rube Goldberg setup documented by some rube in this post that might be what you’re looking for.
www.snbforums.com

Merlin, dnsmasq, Pi-hole Accurate Device Names How-To?

I have an RT-AX86U running 386.1 beta 2 and while it is working well, I find that many ads are being served to devices, especially mobile phones. I have tried various suggestions for solving this and the DNSFilter option to force all DNS traffic to my Pi-hole works the best. Unfortunately, it...
www.snbforums.com www.snbforums.com
Click to expand...
That actually links back to an older thread of mine when I was just running a single Pi-Hole. With the dnsmasq config on the router. I still have that setup. I now run a dual pihole setup with keepalived to create a virtual shared DNS IP so I have local fallback if one goes offline.

I think even with this in place do you get the queries that are rerouted as having come from the router as opposed to say e.g. a Chromecast device that would have hardcoded 8.8.8.8 for some dns queries etc?

EDIT:
One thing I didn't have was the 'check the box to advertise the router IP in addition to the custom choice.' Could this fix the issue? So it helps redirect back to the culprit device/devices?
 
Last edited:
josh3003 said:
That actually links back to an older thread of mine when I was just running a single Pi-Hole. With the dnsmasq config on the router. I still have that setup. I now run a dual pihole setup with keepalived to create a virtual shared DNS IP so I have local fallback if one goes offline.

I think even with this in place do you get the queries that are rerouted as having come from the router as opposed to say e.g. a Chromecast device that would have hardcoded 8.8.8.8 for some dns queries etc?

EDIT:
One thing I didn't have was the 'check the box to advertise the router IP in addition to the custom choice.' Could this fix the issue? So it helps redirect back to the culprit device/devices?
Click to expand...
Advertising the router IP was important for single Pi-Hole setups to avoid a single point of failure. The add-subnet and add-mac dnsmasq parameters should be enough to see original IPs and hopefully names on the Pi-Hole for redirected queries.
 
dave14305 said:
The add-subnet and add-mac dnsmasq parameters should be enough to see original IPs and hopefully names on the Pi-Hole for redirected queries.
Click to expand...
Ok cool, well in that case it doesn't really matter as I do not have single point of failure.

Cool, I shall double check the setup again and test over the coming days. Nothing additional is needed for dnsmasq on PiHole side either? Thanks again for your help and knowledge.
 
dave14305 said:
Advertising the router IP was important for single Pi-Hole setups to avoid a single point of failure. The add-subnet and add-mac dnsmasq parameters should be enough to see original IPs and hopefully names on the Pi-Hole for redirected queries.
Click to expand...
Still got some requests coming blocked from other devices from the router. Do you get the same result or do you have strictly coming from the devices only?
 
You must log in or register to reply here.

Similar threads

A
Port forwarding from OpenVPN Client
Replies
4
Views
1K
almaster76
A
H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
3K
houmi
houmi
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
479
GShlomi
GShlomi
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
840
Grefyne
G
M
iptable questions
Replies
2
Views
1K
Mikii
M
Similar threads
Thread starter Title Forum Replies Date
M ssh access with DNS name takes a long time where it did not used to Asuswrt-Merlin 0
B Where is the cache of known MAC addresses stored? Asuswrt-Merlin 3
B Single guest network where devices can interact Asuswrt-Merlin 7
C Where to Download GNUton's Asus Merlin For DSL-AC68U Asuswrt-Merlin 16
U Where to start with automatic scripting for AsusWRT-Merlin Asuswrt-Merlin 11
JoshFink Recommendation for Merlin compatible where WiFi is not needed Asuswrt-Merlin 14
S Custom IPTables and EBTables CLI after GUI reprovisioning Asuswrt-Merlin 1
r000t Hardcoded Google DNS IPTABLES rule Asuswrt-Merlin 6
F Understanding IPTABLES - asus ROG ax6000 Asuswrt-Merlin 17
SkierInAvon Asus Merlin - iptables command (not working?) Asuswrt-Merlin 8

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 883 (members: 27, guests: 856)
Top