Answer the question
In order to leave comments, you need to log in
D
D
Drno2021-11-09 17:18:22
Drno, 2021-11-09 17:18:22
Why does DNS stop working?
Good day. There is a server on debian. It has qemu-kvm deployed.
A CHR microcomputer is deployed there.
After applying these rules in IPTABLES, DNS stops working from Mikrotik (and everything behind it, from any machines on KVM).
The gateway and the network work, it also enters by IP, but DNS does not resolve ...
Mikrotik works as a VPN server, well, it also forwards several ports for all sorts of needs
spoiler
sysctl -w net.netfilter.nf_conntrack_helper=1
iptables -I FORWARD -o virbr0 -d 192.168.122.2 -j ACCEPT
modprobe ip_gre
modprobe ip_conntrack_pptp
modprobe ip_conntrack
modprobe ip_nat_pptp
modprobe nf_conntrack_pptp
modprobe nf_conntrack
iptables -A FORWARD -p gre -j ACCEPT
iptables -A FORWARD -i enp2s0 -p tcp --dport 1723 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 1723 -j DNAT --to 192.168.122.2:1723
iptables -t nat -I PREROUTING -p gre -j DNAT --to 192.168.122.2
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.122.2:80
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.122.2:443
iptables -t nat -I PREROUTING -p tcp --dport 10052 -j DNAT --to 192.168.122.2:10052
iptables -t nat -I PREROUTING -p tcp --dport 8081 -j DNAT --to 192.168.122.2:8081
iptables -t nat -I PREROUTING -p tcp --dport 60009 -j DNAT --to 192.168.122.2:60009
iptables -t nat -I PREROUTING -p tcp --dport 59998 -j DNAT --to 192.168.122.2:59998
iptables -t nat -I PREROUTING -p tcp --dport 16001 -j DNAT --to 192.168.122.2:16001
iptables -t nat -I PREROUTING -p tcp --dport 10000 -j DNAT --to 192.168.122.2:10000
iptables -t nat -I PREROUTING -p tcp --dport 10001 -j DNAT --to 192.168.122.2:10001
iptables -t nat -I PREROUTING -p tcp --dport 38102 -j DNAT --to 192.168.122.2:38102
iptables -t nat -I PREROUTING -p tcp --dport 33888 -j DNAT --to 192.168.122.2:33888
iptables -t nat -I PREROUTING -p tcp --dport 33889 -j DNAT --to 192.168.122.2:33889
iptables -t nat -I PREROUTING -p tcp --dport 33898 -j DNAT --to 192.168.122.2:33898
iptables -t nat -I PREROUTING -p tcp --dport 33897 -j DNAT --to 192.168.122.2:33897
iptables -t nat -I PREROUTING -p tcp --dport 33891 -j DNAT --to 192.168.122.2:33891
iptables -t nat -I PREROUTING -p tcp --dport 9080 -j DNAT --to 192.168.122.2:9080
iptables -t nat -I PREROUTING -p tcp --dport 33895 -j DNAT --to 192.168.122.2:33895
iptables -t nat -I PREROUTING -p tcp --dport 33896 -j DNAT --to 192.168.122.2:33896
iptables -t nat -I PREROUTING -p tcp --dport 33898 -j DNAT --to 192.168.122.2:33898
iptables -t nat -I PREROUTING -p tcp --dport 33899 -j DNAT --to 192.168.122.2:33899
iptables -t nat -I PREROUTING -p udp --dport 1701 -j DNAT --to 192.168.122.2:1701
iptables -t nat -I PREROUTING -p udp --dport 500 -j DNAT --to 192.168.122.2:500
iptables -t nat -I PREROUTING -p udp --dport 4500 -j DNAT --to 192.168.122.2:4500
iptables -A INPUT -s 192.168.122.2 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 188.242.*.* -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 188.242.*.* -p tcp --dport 5999 -j ACCEPT
iptables -A INPUT -s 188.242.*.* -p udp --dport 5999 -j ACCEPT
iptables -A INPUT -i enp2s0 -p tcp --dport 111 -j DROP
iptables -A INPUT -i enp2s0 -p udp --dport 111 -j DROP
iptables -A INPUT -i enp2s0 -p udp --dport 53 -j DROP
iptables -A INPUT -i enp2s0 -p tcp --dport 53 -j DROP
iptables -A INPUT -i enp2s0 -p tcp --dport 5353 -j DROP
iptables -A INPUT -i enp2s0 -p udp --dport 5353 -j DROP
iptables -A INPUT -i enp2s0 -p tcp --dport 5999 -j DROP
iptables -A INPUT -i enp2s0 -p udp --dport 5999 -j DROP
iptables -A INPUT -p tcp --dport 22 -j DROP
sysctl -w net.netfilter.nf_conntrack_helper=1
iptables -I FORWARD -o virbr0 -d 192.168.122.2 -j ACCEPT
modprobe ip_gre
modprobe ip_conntrack_pptp
modprobe ip_conntrack
modprobe ip_nat_pptp
modprobe nf_conntrack_pptp
modprobe nf_conntrack
iptables -A FORWARD -p gre -j ACCEPT
iptables -A FORWARD -i enp2s0 -p tcp --dport 1723 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 1723 -j DNAT --to 192.168.122.2:1723
iptables -t nat -I PREROUTING -p gre -j DNAT --to 192.168.122.2
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.122.2:80
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.122.2:443
iptables -t nat -I PREROUTING -p tcp --dport 10052 -j DNAT --to 192.168.122.2:10052
iptables -t nat -I PREROUTING -p tcp --dport 8081 -j DNAT --to 192.168.122.2:8081
iptables -t nat -I PREROUTING -p tcp --dport 60009 -j DNAT --to 192.168.122.2:60009
iptables -t nat -I PREROUTING -p tcp --dport 59998 -j DNAT --to 192.168.122.2:59998
iptables -t nat -I PREROUTING -p tcp --dport 16001 -j DNAT --to 192.168.122.2:16001
iptables -t nat -I PREROUTING -p tcp --dport 10000 -j DNAT --to 192.168.122.2:10000
iptables -t nat -I PREROUTING -p tcp --dport 10001 -j DNAT --to 192.168.122.2:10001
iptables -t nat -I PREROUTING -p tcp --dport 38102 -j DNAT --to 192.168.122.2:38102
iptables -t nat -I PREROUTING -p tcp --dport 33888 -j DNAT --to 192.168.122.2:33888
iptables -t nat -I PREROUTING -p tcp --dport 33889 -j DNAT --to 192.168.122.2:33889
iptables -t nat -I PREROUTING -p tcp --dport 33898 -j DNAT --to 192.168.122.2:33898
iptables -t nat -I PREROUTING -p tcp --dport 33897 -j DNAT --to 192.168.122.2:33897
iptables -t nat -I PREROUTING -p tcp --dport 33891 -j DNAT --to 192.168.122.2:33891
iptables -t nat -I PREROUTING -p tcp --dport 9080 -j DNAT --to 192.168.122.2:9080
iptables -t nat -I PREROUTING -p tcp --dport 33895 -j DNAT --to 192.168.122.2:33895
iptables -t nat -I PREROUTING -p tcp --dport 33896 -j DNAT --to 192.168.122.2:33896
iptables -t nat -I PREROUTING -p tcp --dport 33898 -j DNAT --to 192.168.122.2:33898
iptables -t nat -I PREROUTING -p tcp --dport 33899 -j DNAT --to 192.168.122.2:33899
iptables -t nat -I PREROUTING -p udp --dport 1701 -j DNAT --to 192.168.122.2:1701
iptables -t nat -I PREROUTING -p udp --dport 500 -j DNAT --to 192.168.122.2:500
iptables -t nat -I PREROUTING -p udp --dport 4500 -j DNAT --to 192.168.122.2:4500
iptables -A INPUT -s 192.168.122.2 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 188.242.*.* -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 188.242.*.* -p tcp --dport 5999 -j ACCEPT
iptables -A INPUT -s 188.242.*.* -p udp --dport 5999 -j ACCEPT
iptables -A INPUT -i enp2s0 -p tcp --dport 111 -j DROP
iptables -A INPUT -i enp2s0 -p udp --dport 111 -j DROP
iptables -A INPUT -i enp2s0 -p udp --dport 53 -j DROP
iptables -A INPUT -i enp2s0 -p tcp --dport 53 -j DROP
iptables -A INPUT -i enp2s0 -p tcp --dport 5353 -j DROP
iptables -A INPUT -i enp2s0 -p udp --dport 5353 -j DROP
iptables -A INPUT -i enp2s0 -p tcp --dport 5999 -j DROP
iptables -A INPUT -i enp2s0 -p udp --dport 5999 -j DROP
iptables -A INPUT -p tcp --dport 22 -j DROP
2 answer(s)
@AUser0
If it works and you need to insert these commands into the script - change both "-I FORWARD" to "-A FORWARD".
PS Or remove lines with "--dport 53" from the script.
@dronmaxman
A
AUser0, 2021-11-09 @AUser0
Apparently there is no DNS on 192.168.122.2? Then after the script do the following commands:
iptables -I FORWARD -i enp2s0 -s 192.168.122.2,188.242.0.0/16 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i enp2s0 -s 192.168.122.2,188.242.0.0/16 -p tcp --dport 53 -j ACCEPTIf it works and you need to insert these commands into the script - change both "-I FORWARD" to "-A FORWARD".
PS Or remove lines with "--dport 53" from the script.
A
Andrey Barbolin, 2021-11-09 @dronmaxman
Lacks
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -p gre -j ACCEPT
iptables -A FORWARD -i enp2s0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
Similar questions
A
E
K
T
H
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question