Posted: Mon May 04, 2015 21:25 Post subject: IPtables help with DNS server
I’m using ddwrt on a tp-link tl-wr841ndv9 configured as an AP with private wifi and secure guess access - my setup is as follows
Private wifi
192.168.1.0/24
Guess wifi (AP isolation enabled)
192.168.2.0/24
Iptables rules:
#Allow guest bridge access to Internet
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#NAT to make Internet work
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Block torrent and p2p
iptables -I FORWARD -p tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 25 -j DROP
#Block guest access to router services
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
hardwired to the 192.168.1.0/24 Subnet I run a dedicated DNSmasq server 192.168.1.31 (recursive DNS / no DHCP) When I’m connected to 192.168.1.0/24 devices queries the DNS server for a response as expected, but not when I’m connected to Guess wifi this is not the case, even when I configure the local DNS as 192.168.1.31, the internet won’t work at all,. What iptable rule do I need to add in order to allow DNS requests on my Guess wifi to utilize the DNS server on the private subnet?
I might know what is causing your issue. I am not a pro at this, but I just spent a month banging my head against a wall on an issue that sounds similar to this. It can't hurt to try.
dnsmasq, the dns and dhcp server dd-wrt has built in, has a default setting (on my router) to listen ONLY on interface br0, and to disregard dns requests from any other interfaces as erroneous. I can see from your iptables rules that you have another interface called br1 setup. So if you have not changed the default settings, it is very likely that the requests are getting through iptables and then being ignored when they reach dnsmasq. I would try dropping "interface=br0" and "interface=br1" in the dnsmasq extra settings under services.
Of course, it could actually be an iptables problem. I can't see anything wrong with the setup, but I don't have much experience with them. Regardless, even if it doesn't work it is good to keep in mind that the issue could be a dns configuration problem, not just an iptables problem. I hope you can get this issue worked out quicker then I did