Answer the question
In order to leave comments, you need to log in
IPTABLES rules for distribution from local DNS server?
Router. There are two devices on the same 192.168.1.x network.
On the first 192.168.1.11 - local dns server 127.0.0.20:53
The task is to configure iptables so that the second device 192.168.1.22 on the same network can receive dns requests.
I'm scratching my head for the second day. Prompt in what direction to dig?
iptables
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*security
:INPUT ACCEPT [88:7030]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:10514]
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*raw
:PREROUTING ACCEPT [201:28123]
:OUTPUT ACCEPT [66:10514]
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*nat
:PREROUTING ACCEPT [97:20041]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [8:968]
:POSTROUTING ACCEPT [8:968]
-A PREROUTING -s 192.168.1.22 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A PREROUTING -s 192.168.1.22 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A POSTROUTING -o wlan0 -p udp -m udp --sport 53 -j MASQUERADE
-A POSTROUTING -o wlan0 -p tcp -m tcp --sport 53 -j MASQUERADE
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*mangle
:PREROUTING ACCEPT [200:27970]
:INPUT ACCEPT [88:7030]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:10514]
:POSTROUTING ACCEPT [66:10514]
:connman-INPUT - [0:0]
:connman-POSTROUTING - [0:0]
-A INPUT -j connman-INPUT
-A POSTROUTING -j connman-POSTROUTING
-A connman-INPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A connman-POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
# Generated by iptables-save v1.4.15 on Thu Apr 19 22:55:51 2018
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18:2536]
:IN_SSH - [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
-A INPUT -i wlan0 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A TCP -p tcp -m multiport --dports 22,53,8080,139,445 -j ACCEPT
-A UDP -p udp -m multiport --dports 53,123,137,138 -j ACCEPT
COMMIT
# Completed on Thu Apr 19 22:55:51 2018
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.p2p0.forwarding = 1
net.ipv4.conf.p2p0.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data0.forwarding = 1
net.ipv4.conf.r_rmnet_data0.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data1.forwarding = 1
net.ipv4.conf.r_rmnet_data1.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data2.forwarding = 1
net.ipv4.conf.r_rmnet_data2.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data3.forwarding = 1
net.ipv4.conf.r_rmnet_data3.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data4.forwarding = 1
net.ipv4.conf.r_rmnet_data4.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data5.forwarding = 1
net.ipv4.conf.r_rmnet_data5.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data6.forwarding = 1
net.ipv4.conf.r_rmnet_data6.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data7.forwarding = 1
net.ipv4.conf.r_rmnet_data7.mc_forwarding = 0
net.ipv4.conf.r_rmnet_data8.forwarding = 1
net.ipv4.conf.r_rmnet_data8.mc_forwarding = 0
net.ipv4.conf.rmnet0.forwarding = 1
net.ipv4.conf.rmnet0.mc_forwarding = 0
net.ipv4.conf.rmnet_data0.forwarding = 1
net.ipv4.conf.rmnet_data0.mc_forwarding = 0
net.ipv4.conf.rmnet_data1.forwarding = 1
net.ipv4.conf.rmnet_data1.mc_forwarding = 0
net.ipv4.conf.rmnet_data2.forwarding = 1
net.ipv4.conf.rmnet_data2.mc_forwarding = 0
net.ipv4.conf.rmnet_data3.forwarding = 1
net.ipv4.conf.rmnet_data3.mc_forwarding = 0
net.ipv4.conf.rmnet_data4.forwarding = 1
net.ipv4.conf.rmnet_data4.mc_forwarding = 0
net.ipv4.conf.rmnet_data5.forwarding = 1
net.ipv4.conf.rmnet_data5.mc_forwarding = 0
net.ipv4.conf.rmnet_data6.forwarding = 1
net.ipv4.conf.rmnet_data6.mc_forwarding = 0
net.ipv4.conf.rmnet_data7.forwarding = 1
net.ipv4.conf.rmnet_data7.mc_forwarding = 0
net.ipv4.conf.sit0.forwarding = 1
net.ipv4.conf.sit0.mc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.p2p0.forwarding = 0
net.ipv6.conf.r_rmnet_data0.forwarding = 0
net.ipv6.conf.r_rmnet_data1.forwarding = 0
net.ipv6.conf.r_rmnet_data2.forwarding = 0
net.ipv6.conf.r_rmnet_data3.forwarding = 0
net.ipv6.conf.r_rmnet_data4.forwarding = 0
net.ipv6.conf.r_rmnet_data5.forwarding = 0
net.ipv6.conf.r_rmnet_data6.forwarding = 0
net.ipv6.conf.r_rmnet_data7.forwarding = 0
net.ipv6.conf.r_rmnet_data8.forwarding = 0
net.ipv6.conf.rmnet0.forwarding = 0
net.ipv6.conf.rmnet_data0.forwarding = 0
net.ipv6.conf.rmnet_data1.forwarding = 0
net.ipv6.conf.rmnet_data2.forwarding = 0
net.ipv6.conf.rmnet_data3.forwarding = 0
net.ipv6.conf.rmnet_data4.forwarding = 0
net.ipv6.conf.rmnet_data5.forwarding = 0
net.ipv6.conf.rmnet_data6.forwarding = 0
net.ipv6.conf.rmnet_data7.forwarding = 0
net.ipv6.conf.sit0.forwarding = 0
net.ipv6.conf.wlan0.forwarding = 0
Chain POSTROUTING (policy ACCEPT 35 packets, 3542 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE udp -- any wlan0 anywhere anywhere udp spt:domain
0 0 MASQUERADE tcp -- any wlan0 anywhere anywhere tcp spt:domain
Answer the question
In order to leave comments, you need to log in
Understanding
1. A packet arrives that we must forward to a server on the local network before making a routing decision
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 53 -j DNAT --to-destination
127.0.0.20:53 0]
-I FORWARD 1 -i wlan0 -o wlan0 -d 127.0.0.20 -p udp -m udp --dport 53 -j ACCEPT
-I FORWARD 1 -i wlan0 -o wlan0 -d 127.0.0.20 -p tcp -m tcp --dport 53 -j ACCEPT
3. Change the return address of the packet
-A POSTROUTING -o wlan0 -p udp -m udp --dport 53 -j SNAT --to-source 192.168.1.11:53
-A POSTROUTING -o wlan0 -p tcp -m tcp --dport 53 -j SNAT --to-source 192.168.1.11:53
4. All dns queries go to local dns server
-A OUTPUT -o wlan0 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A OUTPUT -o wlan0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.20:53
192.168.1.11 ip of the machine where there is a dns server and I configure iptables
So or not? Where is the mistake?
________________________________________________________________________
Solved the problem with two rules in the *nat chain like this:
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.20:53
-A POSTROUTING -o wlan0 -p udp - m udp --dport 53 -j SNAT --to-source 192.168.1.11:53
plus a command for routes through localhost
sysctl -w net.ipv4.conf.all.route_localnet=1
Thank you all for your comments, they helped me get to the answer :)
The specified 2 hosts are in the same network, the router does not participate in the transmission of their traffic
Based on the assumption that the router, dns server and host .1.22 are three different devices and they are connected to the local network by a switch.
The traffic exchange in the network segment occurs via the Ethernet protocol, the search for hosts - ARP. Traffic is addressed directly to the host using the mac address, not the ip address. Therefore, traffic between hosts on the local network a) simply does not reach the router, because is not addressed to him, because when sending, the mac-address of the destination host is set - the dns server. The router also receives this packet, but since mac-address does not match, it discards it (therefore there is also a promiscuous mode - Promiscuous mode , which allows you to capture any traffic, but this is not our case) and b) no filtering rules are used (you can check by completely blocking the FORWARD chain).
Have you tried changing the DNS server settings on the host 192.168.1.22?
Try to send a request directly, for example like this:
nslookup ya.ru 1.1.1.1
nmap -p U:53 192.168.1.11
if there is no answer, go to 192.168.1.11.
Is the port open? Can the DNS server settings be changed so that it hangs not on the local interface, but on 192.168.1.11?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question