Author
Message
Lobojpm DD-WRT Novice Joined: 26 Jul 2010 Posts: 5
Posted: Thu Jun 15, 2017 21:46 Post subject: Trying to NAT DNS (Port 53) - External requests timing out
Hello all!
I've been searching the board here and trying to learn more about iptables, but this one has me somewhat stumped!
I have a Netgear AC1450 running DD-WRT v24-sp2 (03/25/13) mini (SVN revision 21061)
I'm just trying to NAT DNS requests to an internal DNS server that I have on my LAN. I have other ports forwarding just fine, like web (port 80 and 443) to a different web server on my LAN, but that DNS just won't work. It actually does work internally on my LAN, but when requesting a DNS record from the outside, it times out.
I did this in the GUI using NAT/Port forwarding, and again, that seems to work ok for other ports or other LAN destinations. But port 53 on to this one server doesn't work.
I checked my logs on my DNS server, and it looks like it receives the request and sends back the response in the log, showing the public IP of the requestor... so I MUST be close!
I'll paste my iptables -vnL below.
Any thoughts you guys have would be much appreciated.
Cheers
Code: Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1375 152K logaccept 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 logdrop udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 logdrop udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 logdrop icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
17 476 logdrop 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
487 38678 logaccept 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
153 13025 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 logaccept 47 -- * vlan2 192.168.1.0/24 0.0.0.0/0
0 0 logaccept tcp -- * vlan2 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
9698 2313K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
9048 2239K logaccept 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
261 13748 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 logaccept 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
4 208 logaccept tcp -- * * 0.0.0.0/0 192.168.1.25 tcp dpt:80
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.1.25 udp dpt:80
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.25 tcp dpt:21
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.1.25 udp dpt:21
179 9605 logaccept tcp -- * * 0.0.0.0/0 192.168.1.25 tcp dpt:3389
1 1260 logaccept udp -- * * 0.0.0.0/0 192.168.1.25 udp dpt:3389
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.44 tcp dpt:53
46 3546 logaccept udp -- * * 0.0.0.0/0 192.168.1.44 udp dpt:53
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.25 tcp dpt:443
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.1.25 udp dpt:443
2 104 logaccept tcp -- * * 0.0.0.0/0 192.168.1.114 tcp dpt:80
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.1.114 udp dpt:80
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.111 tcp dpt:80
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.1.111 udp dpt:80
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.1.44 tcp dpt:53
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.1.44 udp dpt:53
0 0 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
418 59245 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
319 55285 logaccept 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
99 3960 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2135 packets, 936K bytes)
pkts bytes target prot opt in out source destination
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
Chain logaccept (23 references)
pkts bytes target prot opt in out source destination
1038 109K LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
11461 2499K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (6 references)
pkts bytes target prot opt in out source destination
159 12999 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
110 4462 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 7 level 4 prefix `DROP '
269 17461 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `WEBDROP '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination
[/code]
Back to top
Sponsor
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6868 Location: Romerike, Norway
Back to top
Lobojpm DD-WRT Novice Joined: 26 Jul 2010 Posts: 5
Posted: Fri Jun 16, 2017 5:56 Post subject:
Good catch! I had the wrong router. When I made the post, I was using the Linksys E2000, which is why I was using that old build.
I DO have an AC1450 and have been trying to get this to work on that one too. I'm having the same issue on that one...
I realize that might point to something other than DD-WRT, but it resolves fine from the LAN, so I have to think it's a routing issue?
Also my DNS log on my server seems to see the requests come in and replies go out, but they just time out on the external client- seems like they are getting lost in the POSTROUTING or something??
Here's my updated one from my AC1450:
DD-WRT v3.0-r27506 (07/09/15) std
And here is the iptables -vnL dump. Web forwarding is working fine to the local web server on .25 but DNS just won't come back to an external request...
Thanks again!
Code: Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1422 106K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
239 18815 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
66 6470 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4287 1318K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * vlan2 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan2 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
188 35483 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.25 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.25 udp dpt:80
23 1196 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.25 tcp dpt:3389
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.25 udp dpt:3389
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.25 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.25 udp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.111 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.111 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.114 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.114 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.44 tcp dpt:53
5 374 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.44 udp dpt:53
0 0 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
160 33913 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
160 33913 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2851 packets, 2795K bytes)
pkts bytes target prot opt in out source destination
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination
Back to top
Lobojpm DD-WRT Novice Joined: 26 Jul 2010 Posts: 5
Posted: Fri Jun 16, 2017 6:18 Post subject:
UPDATE- turned out to be a bad gateway setting on the DNS server.
It would resolve locally but trying to get out externally (via the gateway) it wouldn't go.
Just thought I'd post for anyone else maybe in a similar (dumb) situation.
Thanks all!
Back to top