Posted: Tue Oct 19, 2021 21:31 Post subject: iptables - how does one negate multiple prerouting sources?
I know this question has been asked historically, but the answers I have yet to find are not all too helpful in this one niche use case.
I currently have one router running DD-WRT on 192.168.0.1, one router connected to the previous with IP 192.168.0.2 that runs as a VPN client, and one Raspberry Pi set up to run pi-hole DNS filtering on 192.168.0.21.
Ultimately, my goal here is just to block all DNS requests on my network from any device to any DNS server except for my second router and my pihole, and to allow only those two devices to make DNS requests.
---------
On my router, my current Firewall(iptables) rules are as follows:
----------
Now, I had just assumed this was all working fine and dandy. However, I never actually went in and *tried* to test the rules. Upon trying to execute the commands, I find that rules 3 and 4 work fine. However, rules 1 and 2 do not:
--------------
Some research led to me thinking maybe I had been a fool when I originally copypaste-adapted some rules and that the `!` should obviously go before the `--source`, so I tried that, which might have worked, except multiple source IP addresses are disallowed by my version of iptables:
Code:
root@ddwrt:~# iptables --table nat --insert PREROUTING --in-interface br0 --protocol tcp ! --source 192.168.0.2,192.168.0.21 --destination-port 53 --jump ACCEPT
iptables v1.8.5 (legacy): ! not allowed with multiple source or destination IP addresses
More research led me to attempt using ipset to solve the problem:
Code:
root@ddwrt:~# ipset -N piholeAndVpnPassthrough iphash
root@ddwrt:~# ipset -A piholeAndVpnPassthrough 192.168.0.2
root@ddwrt:~# ipset -A piholeAndVpnPassthrough 192.168.0.21
That part went fine. However, having never used ipset, I couldn't get it to work in any manner I tried:
Code:
root@ddwrt:~# iptables --table nat --insert PREROUTING --in-interface br0 --protocol tcp ! --source --match-set "piholeAndVpnPasshthrough" --destination-port 53 --jump DNAT --to-destination 192.168.0.21:53
Bad argument `piholeAndVpnPasshthrough'
Try `iptables -h' or 'iptables --help' for more information.
root@ddwrt:~# iptables --table nat --insert PREROUTING --in-interface br0 --protocol tcp ! --source -m set --match-set piholeAndVpnPasshthrough --destination-port 53 --jump DNAT --to-destination 192.168.0.21:53
Bad argument `set'
Try `iptables -h' or 'iptables --help' for more information.
root@ddwrt:~# iptables --table nat --insert PREROUTING --in-interface br0 --protocol tcp -m set --match-set piholeAndVpnPasshthrough ! --source --destination-port 53 --jump DNAT --to-destination 192.168.0.21:53
iptables v1.8.5 (legacy): --match-set requires two args.
Try `iptables -h' or 'iptables --help' for more information.
root@ddwrt:~# iptables --table nat --insert PREROUTING --in-interface br0 --protocol tcp -m set --match-set piholeAndVpnPasshthrough src ! --source --destination-port 53 --jump DNAT --to-destination 192.168.0.21:53
iptables v1.8.5 (legacy): Set piholeAndVpnPasshthrough doesn't exist.
------------
Thus, I have no idea how to accomplish this. How does one use two negated source addresses in iptables? _________________ Linksys WRT1900ACSv2 (v3.0-r47510) | Netgear WNDR3700v4 (DD-WRT v3.0-r34777) | Linksys WRT54Gv1 (DD-WRT v24 SP1)
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Wed Oct 20, 2021 6:34 Post subject:
I have moved your question to the Advanced Networking forum where it can grab more attention for this subject
About negation, that has changed recently, all such negations must now precede the option itself, NOT the argument. so not -s ! 192.168.1.1 but ! -s 192.168.1.1
[quote="egc"]I have moved your question to the Advanced Networking forum where it can grab more attention for this subject
About negation, that has changed recently, all such negations must now precede the option itself, NOT the argument. so not -s ! 192.168.1.1 but ! -s 192.168.1.1
