Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
nomaster2018-04-19 20:15:56
Domain Name System
nomaster, 2018-04-19 20:15:56

IPTABLES rules for distribution from local DNS server?

Router. There are two devices on the same 192.168.1.x network.
On the first 192.168.1.11 - local dns server 127.0.0.20:53
The task is to configure iptables so that the second device 192.168.1.22 on the same network can receive dns requests.
I'm scratching my head for the second day. Prompt in what direction to dig?
iptables

# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*security
:INPUT ACCEPT [88:7030]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:10514]
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*raw
:PREROUTING ACCEPT [201:28123]
:OUTPUT ACCEPT [66:10514]
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*nat
:PREROUTING ACCEPT [97:20041]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [8:968]
:POSTROUTING ACCEPT [8:968]
-A PREROUTING -s 192.168.1.22 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A PREROUTING -s 192.168.1.22 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A POSTROUTING -o wlan0 -p udp -m udp --sport 53 -j MASQUERADE
-A POSTROUTING -o wlan0 -p tcp -m tcp --sport 53 -j MASQUERADE
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*mangle
:PREROUTING ACCEPT [200:27970]
:INPUT ACCEPT [88:7030]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:10514]
:POSTROUTING ACCEPT [66:10514]
:connman-INPUT - [0:0]
:connman-POSTROUTING - [0:0]
-A INPUT -j connman-INPUT
-A POSTROUTING -j connman-POSTROUTING
-A connman-INPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A connman-POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18:2536]
:IN_SSH - [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
-A INPUT -i wlan0 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A TCP -p tcp -m multiport --dports 22,53,8080,139,445 -j ACCEPT
-A UDP -p udp -m multiport --dports 53,123,137,138 -j ACCEPT
COMMIT
# Completed on Thu Apr 19 22:55:51 2018

sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.p2p0.forwarding = 1
net.ipv4.conf.p2p0.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data0.forwarding = 1
net.ipv4.conf.r_rmnet_data0.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data1.forwarding = 1
net.ipv4.conf.r_rmnet_data1.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data2.forwarding = 1
net.ipv4.conf.r_rmnet_data2.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data3.forwarding = 1
net.ipv4.conf.r_rmnet_data3.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data4.forwarding = 1
net.ipv4.conf.r_rmnet_data4.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data5.forwarding = 1
net.ipv4.conf.r_rmnet_data5.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data6.forwarding = 1
net.ipv4.conf.r_rmnet_data6.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data7.forwarding = 1
net.ipv4.conf.r_rmnet_data7.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data8.forwarding = 1
net.ipv4.conf.r_rmnet_data8.mc_forwarding = 0
net.ipv4.conf.rmnet0.forwarding = 1
net.ipv4.conf.rmnet0.mc_forwarding = 0
net.ipv4.conf.rmnet_data0.forwarding = 1
net.ipv4.conf.rmnet_data0.mc_forwarding = 0
net.ipv4.conf.rmnet_data1.forwarding = 1
net.ipv4.conf.rmnet_data1.mc_forwarding = 0
net.ipv4.conf.rmnet_data2.forwarding = 1
net.ipv4.conf.rmnet_data2.mc_forwarding = 0
net.ipv4.conf.rmnet_data3.forwarding = 1
net.ipv4.conf.rmnet_data3.mc_forwarding = 0
net.ipv4.conf.rmnet_data4.forwarding = 1
net.ipv4.conf.rmnet_data4.mc_forwarding = 0
net.ipv4.conf.rmnet_data5.forwarding = 1
net.ipv4.conf.rmnet_data5.mc_forwarding = 0
net.ipv4.conf.rmnet_data6.forwarding = 1
net.ipv4.conf.rmnet_data6.mc_forwarding = 0
net.ipv4.conf.rmnet_data7.forwarding = 1
net.ipv4.conf.rmnet_data7.mc_forwarding = 0
net.ipv4.conf.sit0.forwarding = 1
net.ipv4.conf.sit0.mc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.p2p0.forwarding = 0
net.ipv6.conf.r_rmnet_data0.forwarding = 0
net.ipv6.conf.r_rmnet_data1.forwarding = 0
net.ipv6.conf.r_rmnet_data2.forwarding = 0
net.ipv6.conf.r_rmnet_data3.forwarding = 0
net.ipv6.conf.r_rmnet_data4.forwarding = 0
net.ipv6.conf.r_rmnet_data5.forwarding = 0
net.ipv6.conf.r_rmnet_data6.forwarding = 0
net.ipv6.conf.r_rmnet_data7.forwarding = 0
net.ipv6.conf.r_rmnet_data8.forwarding = 0
net.ipv6.conf.rmnet0.forwarding = 0
net.ipv6.conf.rmnet_data0.forwarding = 0
net.ipv6.conf.rmnet_data1.forwarding = 0
net.ipv6.conf.rmnet_data2.forwarding = 0
net.ipv6.conf.rmnet_data3.forwarding = 0
net.ipv6.conf.rmnet_data4.forwarding = 0
net.ipv6.conf.rmnet_data5.forwarding = 0
net.ipv6.conf.rmnet_data6.forwarding = 0
net.ipv6.conf.rmnet_data7.forwarding = 0
net.ipv6.conf.sit0.forwarding = 0
net.ipv6.conf.wlan0.forwarding = 0

iptables -t nat -Z POSTROUTING
watch iptables -t nat -v -L POSTROUTING
Chain POSTROUTING (policy ACCEPT 35 packets, 3542 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  udp  --  any    wlan0   anywhere             anywhere             udp spt:domain
    0     0 MASQUERADE  tcp  --  any    wlan0   anywhere             anywhere             tcp spt:domain

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
N
nomaster, 2018-04-20
@nomaster

Understanding
1. A packet arrives that we must forward to a server on the local network before making a routing decision
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 53 -j DNAT --to-destination
127.0.0.20:53 0]
-I FORWARD 1 -i wlan0 -o wlan0 -d 127.0.0.20 -p udp -m udp --dport 53 -j ACCEPT
-I FORWARD 1 -i wlan0 -o wlan0 -d 127.0.0.20 -p tcp -m tcp --dport 53 -j ACCEPT
3. Change the return address of the packet
-A POSTROUTING -o wlan0 -p udp -m udp --dport 53 -j SNAT --to-source 192.168.1.11:53
-A POSTROUTING -o wlan0 -p tcp -m tcp --dport 53 -j SNAT --to-source 192.168.1.11:53
4. All dns queries go to local dns server
-A OUTPUT -o wlan0 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.20:53
192.168.1.11 ip of the machine where there is a dns server and I configure iptables
So or not? Where is the mistake?
________________________________________________________________________
Solved the problem with two rules in the *nat chain like this:
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A POSTROUTING -o wlan0 -p udp - m udp --dport 53 -j SNAT --to-source 192.168.1.11:53
plus a command for routes through localhost
sysctl -w net.ipv4.conf.all.route_localnet=1
Thank you all for your comments, they helped me get to the answer :)

Report
D
Denis Sechin, 2018-04-19
@tamogavk

The specified 2 hosts are in the same network, the router does not participate in the transmission of their traffic

Report
K
krosh, 2018-04-20
@krosh

Based on the assumption that the router, dns server and host .1.22 are three different devices and they are connected to the local network by a switch.
The traffic exchange in the network segment occurs via the Ethernet protocol, the search for hosts - ARP. Traffic is addressed directly to the host using the mac address, not the ip address. Therefore, traffic between hosts on the local network a) simply does not reach the router, because is not addressed to him, because when sending, the mac-address of the destination host is set - the dns server. The router also receives this packet, but since mac-address does not match, it discards it (therefore there is also a promiscuous mode - Promiscuous mode , which allows you to capture any traffic, but this is not our case) and b) no filtering rules are used (you can check by completely blocking the FORWARD chain).
Have you tried changing the DNS server settings on the host 192.168.1.22?
Try to send a request directly, for example like this:
nslookup ya.ru 1.1.1.1
nmap -p U:53 192.168.1.11
if there is no answer, go to 192.168.1.11.
Is the port open? Can the DNS server settings be changed so that it hangs not on the local interface, but on 192.168.1.11?

Similar questions
S
Stanislav2017-09-13 14:21:57
Setting up a tunnel on windows 7 embedded? 1Reply
A
Alexey2017-10-06 17:32:22
How to add value to document template using PhpWord loadTemplate and setValue? 1Reply
C
chief2020-01-06 23:20:18
How to make PCs behind NAT as subdomains? 3Reply
N
NO_GLITCH2015-09-09 00:14:54
Where to look for a DNS issue in OpenVPN? 0Reply
M
Mark Rosenthal2015-09-16 20:16:41
What is the difference between DIG, host and nslookup? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question