brent timothy saner on 22 May 2017 13:10:51 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables question on redirection & circumvention reporting

On 05/22/2017 03:41 PM, Thomas Delrue wrote:
> Hello,
> I have an internal network with a couple tens-to-hundred devices on it.
> For internal reasons, everyone on the network should be using a specific
> set of DNS servers; for giggles, let's assume that the IP of those DNS
> servers are &
> On router for this network, we've set it so that it will use that
> particular DNS server to resolve domains and by default we use DHCP to
> tell all clients to use their gateway when resolving DNS queries, thus
> using or
> However, I'm sure you feel where I'm going because there's always that
> one guy/gal who's a tad bit too clever for their own good:
> We've run some traces and figured out that some of the folks (these are
> people who are tech-savy, don't have access to the router but do have
> admin/root-powers on their own machines) have been setting their own
> machines to use a non-sanctioned DNS server (e.g. for you
> google-people out there).
> My question is twofold:
> First: Is there a way, using iptables (or some other firewall), to
> intercept DNS requests to anything but and and
> redirect them to or in such a way that said users
> would /think/ they get a response from (i.e. they fire off their
> request to but they actually get a response from or

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to

> Second: If I wanted to figure out, on an ongoing basis (i.e. for future
> attempts), how many of these things are happening, when they are
> happening and who is using the non-sanctioned DNS server, so how would I
> generate a log of this? I would want genuine requests (to or
> to /not/ show up in the log and non-genuine requests (to port
> 53 on /anything but/ either or to show up with
> time-stamp and source IP.
> What would this look like?

here's where it gets hairy. you can definitely log with iptables but
once you start doing logchains (e.g. ), you'll
probably want something like Shorewall (

Your example below can be done with one line in /etc/shorewall{,6}/rules
(assuming you named your WAN zone as "wan" and your local zone as "lan"):

DNAT:Info:DNS wan lan: tcp,udp 53       -       -

If you only want the rule to apply to specific external DNS servers, you
can put those IPs for ORIGDEST.

trust me. shorewall actually makes iptables rules sane.

> I was thinking about this and came up with something like this for
> iptables but don't know if it would work, so before I deploy/test this,
> I was wondering if there is anyone who would be able to tell me whether
> this would/could work or if this is a dumb thing to do...
> iptables -N DNS_MANDATE
> # these two DNS servers are mandated
> iptables -A DNS_MANDATE -d --dport 53 -j ALLOW
> iptables -A DNS_MANDATE -d --dport 53 -j ALLOW
> # log anything that hasn't returned
> iptables -A DNS_MANDATE -j LOG --log-prefix "DNS Circumvention Attempt:"
> # rewrite and redirect
> ##### [ ??? what goes here to do the actual redirect ??? ] #####
> # We're done after the redirect, but let the redirect through
> iptables -A DNS_MANDATE -j RETURN # Is this the right thing to do?
> # put this in the output chain?
> iptables -A OUTPUT -p tcp --dport 53 -j DNS_MANDATE
> iptables -A OUTPUT -p udp --dport 53 -j DNS_MANDATE
> For extra credit: how would I do this using ip6tables (for servers with
> IPv6 addresses assigned)? Would it be massively different? What about
> netfilter/nftables?

pretty sure you'd just s/iptables/ip6tables/g the above, and replace
10.0.2.x with the appropriate IPv6 addresses.

or just use shorewall6. ;)

Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --