I think v24 uses different kernels depending on the platform, 2.4.37 for mips devices and 2.6 for x86.
The reason that --to works is because it is common for linux/gnu apps to accept shortened option switches. --to is the shortest it will recognize for the option while --to-destination is the full form.
Yes it would be better to insert the rules because DNAT is a terminating target so the first match will stop the chain. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I think v24 uses different kernels depending on the platform, 2.4.37 for mips devices and 2.6 for x86.
Any ideas on how to setup up a "group target" in iptables for a v2.6 kernel? I'd like to be able to specify both OpenDNS addresses in the rules, similar to what I've done with the multiple "--to" targets in my example.
phuzi0n wrote:
Yes it would be better to insert the rules because DNAT is a terminating target so the first match will stop the chain.
Thanks for that info. I will take a look at the current (default) chains in that table to try and confirm that inserting (as opposed to appending) won't cause any problems.
So it looks like (in my basically default setup) this will work as intended, even though the OpenDNS entries have been appended to the bottom of the chain (rather than inserted at the top). It also looks like (in my case) inserting them at the top will work just as well...
But it seems to me that with any serious custom NAT mangling and/or port triggering you would probably need to figure out exactly where to insert these OpenDNS entries (possibly somewhere in the middle?). Otherwise you may end up circumventing your NAT strategy for clients on your restricted AP (br1 in my case); or these clients may never get the OpenDNS addresses enforced.
Joined: 22 Jun 2008 Posts: 2440 Location: Am now Dark_Shadow
Posted: Wed Jun 10, 2009 20:42 Post subject:
Quote:
[quote="frater"]Why are you taking such a difficult route?
You can also do it the other way around.
You yourself can use static DNS to your ISP's DNS-server..
I think it's also possible to configure dnsmasq so they will get another dns-entry.
The "Intercept port" is made as an extra when they try to use a static DNS and still force them to the lan ip of the router.
Change your dynamic pool to go from 192.168.1.128 and up, they will then be forced to use 192.168.1.1 as the DNS-server which is configured to use opendns...
Code:
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Will this work with static DHCP leases as well? wired and wireless? I run my own DNS server for my domain and would like me and my wife to use it but force the kids computers to opendns. Current config is in Sig. Thx in advance. _________________ The New Me
I think it's also possible to configure dnsmasq so they will get another dns-entry.
The "Intercept port" is made as an extra when they try to use a static DNS and still force them to the lan ip of the router.
Change your dynamic pool to go from 192.168.1.128 and up, they will then be forced to use 192.168.1.1 as the DNS-server which is configured to use opendns...
Code:
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Will this work with static DHCP leases as well? wired and wireless? I run my own DNS server for my domain and would like me and my wife to use it but force the kids computers to opendns. Current config is in Sig. Thx in advance.
This should work just as well for DHCP reservations, and for both wired and wireless.
As frater noted (per the text I've marked in bold above, and the code you quoted), this would require that you configure your router to point directly to OpenDNS for DNS. This could work for your purposes, assuming that your kids don't have administrative access to their computers and can't fiddle with the IP address settings.
But if there's a way for the kids to assign IP addresses to their machines that are outside the targeted range, then it won't work (or they may simply get no network service at all, depending on how you have IP assignments setup). To prevent the kids from working around it in this way you might be able to use dnsmasq, but I have no experience with this myself. (frater?)
If your kids use wireless and you and your wife don't (or vice versa), or if you have multiple wireless access points (kids on one and adults on another) then that would be another way to segregate DNS service in your household, and the kids couldn't workround it with an address change. In that case you wouldn't need the source address filters in the iptables commands. You would just need to target based on the interface that the kids are using ('-i br0' would need to be changed to '-i wl0' or something else).
Yes it would be better to insert the rules because DNAT is a terminating target so the first match will stop the chain.
SNR wrote:
[...]it seems to me that with any serious custom NAT mangling and/or port triggering you would probably need to figure out exactly where to insert these OpenDNS entries (possibly somewhere in the middle?). Otherwise you may end up circumventing your NAT strategy for clients on your restricted AP (br1 in my case); or these clients may never get the OpenDNS addresses enforced.
???
After thinking this over a bit I've decided that phuzi0n is right, and I should just insert these tables at the top of the chain and be done with it. So here's what the prerouting chain in my nat table finally looks like:
Joined: 22 Jun 2008 Posts: 2440 Location: Am now Dark_Shadow
Posted: Thu Jun 11, 2009 4:04 Post subject:
SNR wrote:
DHC_DarkShadow wrote:
frater wrote:
I think it's also possible to configure dnsmasq so they will get another dns-entry.
The "Intercept port" is made as an extra when they try to use a static DNS and still force them to the lan ip of the router.
Change your dynamic pool to go from 192.168.1.128 and up, they will then be forced to use 192.168.1.1 as the DNS-server which is configured to use opendns...
Code:
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Will this work with static DHCP leases as well? wired and wireless? I run my own DNS server for my domain and would like me and my wife to use it but force the kids computers to opendns. Current config is in Sig. Thx in advance.
This should work just as well for DHCP reservations, and for both wired and wireless.
As frater noted (per the text I've marked in bold above, and the code you quoted), this would require that you configure your router to point directly to OpenDNS for DNS. This could work for your purposes, assuming that your kids don't have administrative access to their computers and can't fiddle with the IP address settings.
But if there's a way for the kids to assign IP addresses to their machines that are outside the targeted range, then it won't work (or they may simply get no network service at all, depending on how you have IP assignments setup). To prevent the kids from working around it in this way you might be able to use dnsmasq, but I have no experience with this myself. (frater?)
If your kids use wireless and you and your wife don't (or vice versa), or if you have multiple wireless access points (kids on one and adults on another) then that would be another way to segregate DNS service in your household, and the kids couldn't workround it with an address change. In that case you wouldn't need the source address filters in the iptables commands. You would just need to target based on the interface that the kids are using ('-i br0' would need to be changed to '-i wl0' or something else).
yup it worked. Had a hell of a time getting there though. Since I host my own DNS server for my domain I had my local IP for my DNS server entered in the setup tab under "Local DNS". To set this up properly I had to reset that back to 0.0.0.0
Thx for the Help and thanks to the dev and all who make this project what it is.
Edit: I Spoke too soon. It works but it is applied to all DHCP address. My wife's laptop had a static lease of IP 192.168.1.22, well out of the pool. But was still forced to OPenDNS. So I had to set a static IP on the thing it self. _________________ The New Me
yup it worked. Had a hell of a time getting there though. Since I host my own DNS server for my domain I had my local IP for my DNS server entered in the setup tab under "Local DNS". To set this up properly I had to reset that back to 0.0.0.0
Edit: I Spoke too soon. It works but it is applied to all DHCP address. My wife's laptop had a static lease of IP 192.168.1.22, well out of the pool. But was still forced to OPenDNS. So I had to set a static IP on the thing it self.
What exact commands did you end up using to set this up?
Joined: 22 Jun 2008 Posts: 2440 Location: Am now Dark_Shadow
Posted: Thu Jun 11, 2009 10:43 Post subject:
SNR wrote:
DHC_DarkShadow wrote:
yup it worked. Had a hell of a time getting there though. Since I host my own DNS server for my domain I had my local IP for my DNS server entered in the setup tab under "Local DNS". To set this up properly I had to reset that back to 0.0.0.0
Edit: I Spoke too soon. It works but it is applied to all DHCP address. My wife's laptop had a static lease of IP 192.168.1.22, well out of the pool. But was still forced to OPenDNS. So I had to set a static IP on the thing it self.
What exact commands did you end up using to set this up?
I Used this
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr) _________________ The New Me
Joined: 22 Jun 2008 Posts: 2440 Location: Am now Dark_Shadow
Posted: Sun Jun 14, 2009 21:53 Post subject:
DHC_DarkShadow wrote:
SNR wrote:
DHC_DarkShadow wrote:
yup it worked. Had a hell of a time getting there though. Since I host my own DNS server for my domain I had my local IP for my DNS server entered in the setup tab under "Local DNS". To set this up properly I had to reset that back to 0.0.0.0
Edit: I Spoke too soon. It works but it is applied to all DHCP address. My wife's laptop had a static lease of IP 192.168.1.22, well out of the pool. But was still forced to OPenDNS. So I had to set a static IP on the thing it self.
What exact commands did you end up using to set this up?
I Used this
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
IT WORKS!!!!! I had to manually put in my personal DNS IP in each computer I wanted to use my DNS. If no DNS ip is supplied on the computer using DHCP weather its in the range or not of the script will automatically use the static DNS IP's of the router. So even the one in the range if i manually set the dns ip it still forced them to use the static ip's of the router. I am so happy. _________________ The New Me
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
DHC_DarkShadow wrote:
IT WORKS!!!!! I had to manually put in my personal DNS IP in each computer I wanted to use my DNS. If no DNS ip is supplied on the computer using DHCP weather its in the range or not of the script will automatically use the static DNS IP's of the router. So even the one in the range if i manually set the dns ip it still forced them to use the static ip's of the router. I am so happy.
As to that nagging issue with this working whether or not the device is in the range specified in your commands... this might be caused by using the "-A" option to Append the rules to the end of the table. You might want to try using "-I" to Insert the commands at the top of the table (as phuzi0n recommended earlier in this thread). In other words: