OpenDNS block port 53 for an ip group and allow others

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11

PostPosted: Fri Aug 10, 2018 19:54    Post subject: OpenDNS block port 53 for an ip group and allow others Reply with quote
Hello, I am trying to configure OpenDNS in a Linksys WRT54G2 / GS2 with Frmware: DD-WRT v24-sp2 (07/08/10) micro-build 14896

I can not get the firewall to block all the requests from port 53 except an IP range that I define so that they have internet without restrictions

The network is:
NET: 172.16.0.0/255.255.0.0
Local DNS: 172.16.0.1 where the forward does it at 208.67.222.220
Router dd-WRT LAN: 172.16.0.53
Router dd-WRT WAN: 192.16.0.2
INTERNET LAN Router: 192.16.0.1

I understand that with
Code:
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220


redirects all DNS requests to OpenDNS. (and he does it well).
This I need for certain IPs to allow the 8.8.8.8 dns, which is why I read something similar to:
Code:

iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p tcp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220



But this only thing is to enable port 53 or access to 8.8.8.8 to the entire network.

I do not know if it's a concept error or it's syntax error.

I'm a little dizzy from looking at the doc and concluding that that's what I should enter.
What is missing?

Thank you.
(written with translate.google.com)
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 2154
Location: Netherlands

PostPosted: Fri Aug 10, 2018 20:54    Post subject: Reply with quote
Put the lines pointing to 8.8.8.8 in last
_________________
Router Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 4324
Location: Akershus, Norway

PostPosted: Sat Aug 11, 2018 17:10    Post subject: Reply with quote
You have the lines in the reverse order. Remember when inserting, the last line will be the first.

iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p tcp --dport 53 -j DNAT --to 8.8.8.8


The presence of 172.16.1.10 will now be tested first.

Is this a typo?

Router dd-WRT WAN: 192.16.0.2
INTERNET LAN Router: 192.16.0.1

That address is in the public space. It should be 192.168.0.2.
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11

PostPosted: Sun Aug 12, 2018 12:46    Post subject: Reply with quote
Per Yngve Berg wrote:
You have the lines in the reverse order. Remember when inserting, the last line will be the first.

Nooo ... Je
Thanks Per

Quote:
That address is in the public space. It should be 192.168.0.2.

If it's a typographical error, Tomorrow I try the change,
Thank you
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11

PostPosted: Tue Aug 14, 2018 19:28    Post subject: [SOLVED] Reply with quote
Per, Thanks worked Perfect Smile with:


Code:
iptables -t nat -I PREROUTING -i br0  -s 172.16.0.0/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
      iptables -t nat -I PREROUTING -i br0  -s 172.16.0.0/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220
      iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p udp --dport 53 -j DNAT --to 8.8.8.8
      iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p tcp --dport 53 -j DNAT --to 8.8.8.8


What does not work is filtering by mac as

Code:
iptables -t nat -I PREROUTING -i br0 -s -m mac ! --mac-source 54:27:1E:AE:5A:FD  -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s -m mac ! --mac-source 54:27:1E:AE:5A:FD  -p tcp --dport 53 -j DNAT --to 8.8.8.8

but it will be another post
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 4324
Location: Akershus, Norway

PostPosted: Tue Aug 14, 2018 21:57    Post subject: Reply with quote
There is a syntax error. '-s' should be followed by an ip address. Remove '-s'.
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11

PostPosted: Fri Aug 17, 2018 17:47    Post subject: Reply with quote
Per Yngve Berg wrote:
There is a syntax error. '-s' should be followed by an ip address. Remove '-s'.


Thanks, now it is working correctly with:
Code:
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.0/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.0/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -m mac  --mac-source 74:c6:3b:90:e4:25  -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -m mac  --mac-source 74:c6:3b:90:e4:25  -p tcp --dport 53 -j DNAT --to 8.8.8.8
insmod xt_mac
insmod ipt_mac
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Fri Aug 17, 2018 18:05    Post subject: Reply with quote
You have to make the mac module available *before* you can reference it in the firewall rules. So the following should be the *first* items in that script!

Code:
insmod xt_mac
insmod ipt_mac


Or perhaps install them in the startup script instead (they only needed to be loaded once per boot).

IOW, the reversing of the order of the firewall rules is *only* applicable to the firewall rules themselves. The insmod command is NOT part of the firewall rules.

It probably worked as-is because you didn't reboot before testing, so the module was already loaded.
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11

PostPosted: Fri Aug 17, 2018 19:06    Post subject: Reply with quote
Hi eibgrad, probe reboot the router and keep working on the mac filtering .. I do not know .. just in case I put it up too Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum