OpenDNS block port 53 for an ip group and allow others

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11
PostPosted: Fri Aug 10, 2018 19:54    Post subject: OpenDNS block port 53 for an ip group and allow others Reply with quote
Hello, I am trying to configure OpenDNS in a Linksys WRT54G2 / GS2 with Frmware: DD-WRT v24-sp2 (07/08/10) micro-build 14896

I can not get the firewall to block all the requests from port 53 except an IP range that I define so that they have internet without restrictions

The network is:
NET: 172.16.0.0/255.255.0.0
Local DNS: 172.16.0.1 where the forward does it at 208.67.222.220
Router dd-WRT LAN: 172.16.0.53
Router dd-WRT WAN: 192.16.0.2
INTERNET LAN Router: 192.16.0.1

I understand that with
Code:
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220


redirects all DNS requests to OpenDNS. (and he does it well).
This I need for certain IPs to allow the 8.8.8.8 dns, which is why I read something similar to:
Code:

iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p tcp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220



But this only thing is to enable port 53 or access to 8.8.8.8 to the entire network.

I do not know if it's a concept error or it's syntax error.

I'm a little dizzy from looking at the doc and concluding that that's what I should enter.
What is missing?

Thank you.
(written with translate.google.com)
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12913
Location: Netherlands
PostPosted: Fri Aug 10, 2018 20:54    Post subject: Reply with quote
Put the lines pointing to 8.8.8.8 in last
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
PostPosted: Sat Aug 11, 2018 17:10    Post subject: Reply with quote
You have the lines in the reverse order. Remember when inserting, the last line will be the first.

iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.1/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p tcp --dport 53 -j DNAT --to 8.8.8.8


The presence of 172.16.1.10 will now be tested first.

Is this a typo?

Router dd-WRT WAN: 192.16.0.2
INTERNET LAN Router: 192.16.0.1

That address is in the public space. It should be 192.168.0.2.
Back to top View user's profile Send private message
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11
PostPosted: Sun Aug 12, 2018 12:46    Post subject: Reply with quote
Per Yngve Berg wrote:
You have the lines in the reverse order. Remember when inserting, the last line will be the first.

Nooo ... Je
Thanks Per

Quote:
That address is in the public space. It should be 192.168.0.2.

If it's a typographical error, Tomorrow I try the change,
Thank you
Back to top View user's profile Send private message
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11
PostPosted: Tue Aug 14, 2018 19:28    Post subject: [SOLVED] Reply with quote
Per, Thanks worked Perfect Smile with:


Code:
iptables -t nat -I PREROUTING -i br0  -s 172.16.0.0/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
      iptables -t nat -I PREROUTING -i br0  -s 172.16.0.0/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220
      iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p udp --dport 53 -j DNAT --to 8.8.8.8
      iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p tcp --dport 53 -j DNAT --to 8.8.8.8


What does not work is filtering by mac as

Code:
iptables -t nat -I PREROUTING -i br0 -s -m mac ! --mac-source 54:27:1E:AE:5A:FD  -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s -m mac ! --mac-source 54:27:1E:AE:5A:FD  -p tcp --dport 53 -j DNAT --to 8.8.8.8

but it will be another post
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
PostPosted: Tue Aug 14, 2018 21:57    Post subject: Reply with quote
There is a syntax error. '-s' should be followed by an ip address. Remove '-s'.
Back to top View user's profile Send private message
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11
PostPosted: Fri Aug 17, 2018 17:47    Post subject: Reply with quote
Per Yngve Berg wrote:
There is a syntax error. '-s' should be followed by an ip address. Remove '-s'.


Thanks, now it is working correctly with:
Code:
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.0/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.0/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -m mac  --mac-source 74:c6:3b:90:e4:25  -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -m mac  --mac-source 74:c6:3b:90:e4:25  -p tcp --dport 53 -j DNAT --to 8.8.8.8
insmod xt_mac
insmod ipt_mac
Back to top View user's profile Send private message
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11
PostPosted: Fri Aug 17, 2018 19:06    Post subject: Reply with quote
Hi eibgrad, probe reboot the router and keep working on the mac filtering .. I do not know .. just in case I put it up too Smile
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum