Sending NAT PREROUTING to Blackholes?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Thu Jul 07, 2022 10:30    Post subject: Sending NAT PREROUTING to Blackholes? Reply with quote
If I want to blackhole a port or DNS or some IP during PREROUTING stage, can I use something like
Code:
iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to 0.0.0.0
iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to 0.0.0.0

??? Do I need to specify port for "--0.0.0.0" or leave it as "--0.0.0.0"

A bit off-topic, but did you know public blackhole DNS servers exist? They are quite useful if you have a router that sends telemetry from itself and doesn't allow you to use 0.0.0.0 or 127.0.0.1 for WAN DNS.
Code:
blackhole-1.iana.org (192.175.48.6)
blackhole-2.iana.org (192.175.48.42)
prisoner.iana.org (192.175.48.1)

https://en.wikipedia.org/wiki/Blackhole_server
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jul 07, 2022 12:00    Post subject: Reply with quote
I don't see why it wouldn't work.

If you don't include the port in the DNAT target, then it simple defaults to the specified port being matched.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Thu Jul 07, 2022 12:06    Post subject: Reply with quote
But the question remains why?

DDWRT has a lot of DNS redirection built-in, used for VAP's, Split DNS for VPN, to mitigate rogue DNS requests etc.

So I would be really careful with this.

What is the problem you are trying to solve?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jul 07, 2022 12:50    Post subject: Reply with quote
egc wrote:
But the question remains why?

DDWRT has a lot of DNS redirection built-in, used for VAP's, Split DNS for VPN, to mitigate rogue DNS requests etc.

So I would be really careful with this.

What is the problem you are trying to solve?


Good points, but at least he's inserting the rules so they take precedence.

But to your point, iptables *used* to allow DROPing in the nat table, but then removed that capability. And that's effectively what's happening here. So at least from iptables perspective, this is NOT considered appropriate. All filtering should take place in the filter table (duh).

Of course, users being users, you can't prevent them from going their own way sometimes.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Thu Jul 07, 2022 19:58    Post subject: Reply with quote
This isn't a DD-WRT-specific question, but a general one. I keep thinking that it makes more sense to blackhole a packet or drop it as early in the process as possible (in PREROUTING) than to wait until it gets processed by filtering. If PREROUTING for filtered aspects is altered by redirecting taffic, then filter is not going to pick up anything.

DNS was never meant to be blackholed to 0.0.0.0 anyway. REJECT response is the correct way to block domains, but 0.0.0.0 works better. It is kind of a hack, I think, similar to how DNS-over-HTTPS is kind of a hack.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jul 07, 2022 20:06    Post subject: Reply with quote
This latest post reminds me of a question, is it better to blacklist or whitelist something?

Whitelists are simpler, you start with a known expected scenario and whatever else outside this narrow spectrum is blacklisted by default, easier to maintain. While the opposite requires constant discovery and maintenance.

That's not to say for specific applications blacklists aren't better suited.

But this may not necessarily apply to all scenarios as supported by current design and implementations.

Sorry for noise, my brain farts are always just that, gas. Sadly cant take that gas to the bank.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jul 07, 2022 21:48    Post subject: Reply with quote
Well if the purpose is to be as efficient as possible, why not using the raw table?

Code:
iptables -t raw -I PREROUTING -p tcp -d 8.8.8.8 --dport 53 -j DROP
iptables -t raw -I PREROUTING -p udp -d 8.8.8.8 --dport 53 -j DROP


This avoids connection tracking, nat, filter, the works!

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Thu Jul 07, 2022 21:58    Post subject: Reply with quote
the-joker wrote:
This latest post reminds me of a question, is it better to blacklist or whitelist something?

Whitelists are simpler, you start with a known expected scenario and whatever else outside this narrow spectrum is blacklisted by default, easier to maintain. While the opposite requires constant discovery and maintenance.

That's not to say for specific applications blacklists aren't better suited.

But this may not necessarily apply to all scenarios as supported by current design and implementations.

Sorry for noise, my brain farts are always just that, gas. Sadly cant take that gas to the bank.


Yes, in a perfect (DD-WRT) scenario, it is more secure to block everything and allow only what is necessary than to allow everything and block the unnecessary, but when dealing with router API's that load their OS before it executing custom scripts with personal rules, you have to improvise...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Fri Jul 08, 2022 5:53    Post subject: Reply with quote
Just a thought, would you not expect that a simple DROP rule is far more efficient that a ROUTING rule?

This is just a for one destination but if you have hundreds?

Blocking many on the firewall level can better be handled with IPSET, a sticky in this forum.

Or just use DNSMasq or SmartDNS on the DNS level?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Sat Sep 03, 2022 20:46    Post subject: Reply with quote
I already found some scenarios where blackholing in NAT portion is not a good idea. For example, when using DHCP for WAN, dropping 255.255.255.255/32 broadcast packets in Mangle section has no ill effect and neither does dropping same packets in INPUT filtering section, but applying "DNAT --to-destination 0.0.0.0" blackhole rule for WAN 255.255.255.255/32 packets in NAT PREROUTING portion results in non-stop connects and disconnects from WAN.

The router I use (non-DD-WRT) doesn't have RAW module and RAW isn't part of available modules. It does have Mangle section, which precedes NAT and allows to simply drop packets (like in filtering portions). Mangle section is supposed to be for "specialized" packets, but what does that mean? QoS packets? Traffic Shaping?
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sun Sep 04, 2022 7:06    Post subject: Reply with quote
Yes QoS packets on any of the mangle table built in chains:

* PREROUTING
* OUTPUT
* FORWARD
* INPUT
* POSTROUTING

RAW table is just for configuration exemptions for its chains

* PREROUTING
* OUTPUT

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum