Joined: 22 Jun 2008 Posts: 2440 Location: Am now Dark_Shadow
Posted: Sun Sep 27, 2009 2:09 Post subject: On LAN DNS and OpenDNS IPtable Script [solved]
Ok, my apologies to phuzi0n for changing directions mid thread.
Goal - Force 192.168.1.128 - 192.168.1.254 to use opendns servers, while forcing 192.168.1.0 - 192.168.1.127 to use my own DNS server running on my LAN. My DHCP pool has been moved up to 192.168.1.200 +50, so that DHCP will get forced to opendns as well.
Solution - I have static lease assignments under services so that I have control of what machines get what IP address' without having to go to each individual machine to set it or change it. The machine's in my house I want on open DNS but want them to have a staic IP, I set a static lease in services anywhere from 192.168.1.128-192.168.1.200. Making sure not to set an IP in the DHCP pool. Machine's in my house I want to use my DNS sever, I set a static lease of 192.168.1.10 - 192.168.1.127. The first 10 IP's I leave for network devices like WAP's, Client Brides, and Repeaters.
And the rest of the setting, which are credited to P~
Code:
#basic setup --> Network Address Server Settings (DHCP)
Static DNS 1 = 192.168.1.10 <---My Private DNS server address
Static DNS 2 = 208.67.222.222 <-OpenDNS
Static DNS 3 = 208.67.220.220 <-OpenDNS
In case anyone is interested and to make the thread complete, here is the first original post.
I use them, I know what they do, but Would it be possible to get a breakdown of the script and it's functions so that someone with limited understanding would understand.
Code:
iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
If understand this right it forces all connected devices to use the DNS as setup buy the router.
Code:
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Now I think this forces all ip address 192.168.1.128-192.168.1.153 to use the DNS as setup buy the router. right?
Now if I was correct in my assumtion on the second script, then this one would be forcing all ip address 192.168.1.128-192.168.1.153 to use the DNS at ip address 208.67.222.222. right?
Just looking for a little IPTABLE coaching P~ _________________ The New Me
Last edited by DHC_DarkShadow on Wed Jan 27, 2010 23:42; edited 5 times in total
Posted: Sun Sep 27, 2009 3:19 Post subject: Re: OpenDNS IPtable Scipts
iptables
-t nat ----------------------------------------- in the nat table
-A PREROUTING ---------------------------- append this rule to the end of the PREROUTING chain
-i br0 ---------------------------------------- only match traffic coming in br0 interface
-s 192.168.1.128/25 ----------------------- only match traffic from 192.168.1.128 subnet mask 255.255.255.128 (25 bits)
----------------------------------------------- ie. 192.168.1.128 - 192.168.1.255
-p udp --dport 53 --------------------------- only match traffic destined to udp port 53 (DNS)
-j DNAT --to $(nvram get lan_ipaddr) ---- translate the destination IP address to the router's LAN address _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 22 Jun 2008 Posts: 2440 Location: Am now Dark_Shadow
Posted: Sun Sep 27, 2009 3:53 Post subject:
Ok so what if I wanted just a certain set of ip addess, say 192.168.1.200-230 and my subnet mask is 255.255.255.0?
I also run my own DNS server in which i want to leave in tacked for the rest of the network. So I would want to force 192.168.1.200-192.168.1.230 subnet mask 255.255.255.0 to 208.67.222.222 _________________ The New Me
Joined: 07 Jun 2006 Posts: 1476 Location: New York, USA
Posted: Sun Sep 27, 2009 11:57 Post subject:
DHC_DarkShadow wrote:
Ok so what if I wanted just a certain set of ip addess, say 192.168.1.200-230 and my subnet mask is 255.255.255.0?
I also run my own DNS server in which i want to leave in tacked for the rest of the network. So I would want to force 192.168.1.200-192.168.1.230 subnet mask 255.255.255.0 to 208.67.222.222
Darkshadow
Are you simply trying to make a set of users use openDNS for filtering and other users not have the opnDNS blacklists apply?
I do this by simply using a static DNS setting on the 2 clients I want to bypass the access fitlers.
Joined: 04 Oct 2007 Posts: 1258 Location: Ohio USA
Posted: Sun Sep 27, 2009 12:18 Post subject:
DHC_DarkShadow wrote:
Ok so what if I wanted just a certain set of ip addess, say 192.168.1.200-230 and my subnet mask is 255.255.255.0?
I also run my own DNS server in which i want to leave in tacked for the rest of the network. So I would want to force 192.168.1.200-192.168.1.230 subnet mask 255.255.255.0 to 208.67.222.222
Note from DD-WRT Wiki: Many builds do not have the iprange match but you can use clever subnet masks to accomplish it as well. You may also be able to download a version of iptables that includes the iprange match via Optware. _________________ (05/02/17) std - 31924
Linksys WRT400N
Buffalo WHR-G300N
dellsweig - the point of these rules is that the router forces them to use the specified DNS address so that users can't manually change them to bypass what they should be. They're rather old rules that have existed on the opendns wiki but there was a recent thread that wanted to change them slightly to go directly to opendns instead of the router... the user had a typo in their rule making it a /5 mask instead of /25 and if this darn forum wasn't so old I'd have merged this back to the original thread.
DHC - I think you may be a little confused by the mask usage within iptables, it's doesn't have to be the same as the network's subnet mask but rather you use it to specify a range for the rule to affect. To do a range like 200-230 you would need to use the iprange match (see iptables man page) but it's not included in broadcom builds. Instead of doing 200-230 you can shift this pool to fit into a /27 subnet range such as 224-255 and then your iptables rule would have 192.168.1.224/27 which matches 32 addresses (though one is likely your broadcast address). _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
192.168.1.128/25 does indeed cover the broadcast address if your subnet is using the expected class C /24 subnet mask. You don't have to worry about this though because the other parts of the rule will never be matched by broadcasts.
Individual rules will indeed be easier but subnetting is an important concept to learn for networking. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 22 Jun 2008 Posts: 2440 Location: Am now Dark_Shadow
Posted: Mon Sep 28, 2009 12:09 Post subject:
Sorry, thought you were talking about an older thread.
Is there a way to have this script catch dns from 128/25 no mater how the dns addresses are set up in the basic settings page. In other words, the script works If you use it in conjunction with the opendns tutorial. If you use the script with a default settings router it does not work.
My goal is not to have to set anything manually on the devices. As it stands right now I have to manually set the DNS ip address on the PC's not covered by the script. _________________ The New Me
dhcp option 6 in dnsmasq guide. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
http://www.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server#ISP_DNS-Servers _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
It can't circumvent the rules unless something is misconfigured. List the dhcp info the host received and list your chain.
iptables -t nat -vnL PREROUTING _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Try a lot, But I am learning. As well as trying to get the info on the board for others. Can You link to the old thread?