Re: Redirecting DNS Not Working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Whoops! forgot to reply to all and sent this only to Andy.

Tried this... and same result, page not displayed. Keep in mind these
are the only rules I have for iptables, do I need any other ones?

iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT
--to-destination 192.168.1.2:53
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT
--to-destination 192.168.1.2:53
iptables -t nat -A PREROUTING -p tcp --sport 53 -j DNAT
--to-destination 192.168.1.2:53
iptables -t nat -A PREROUTING -p tcp --sport 53 -j DNAT
--to-destination 192.168.1.2:53

On Fri, Feb 15, 2013 at 11:35 AM, Andrew Beverley <andy@xxxxxxxxxxx> wrote:
> On Fri, 2013-02-15 at 11:24 -0500, John Corps wrote:
>> Hello All,
>>
>> I am having issues with redirecting DNS requests to the internal dns
>> server. I have a very simple setup, if someone is put into vlan 1000
>> then they do not get internet access at all. If they keep the DNS
>> server assigned by DHCP, which is the IP of the gateway in vlan 1000,
>> every request they make to a website is resolved to this IP and served
>> up the webpage stating no internet is available. If they are clever
>> enough to set there own DNS servers, when they open a browser, they do
>> not get anything at all, just page can't be displayed. I have not done
>> anything with iptables yet as the internal dns server is just
>> resolving everything to the local IP address. What I want to do is if
>> they set there own DNS, redirect them anyways back to the internal
>> DNS. Here are the only 2 rules I have tried but they do not work at
>> all, maybe i am missing something? Any help would be greatly
>> appreciated!
>>
>> iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport
>> 53 -j REDIRECT --to-ports 53
>> iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport
>> 53 -j REDIRECT --to-ports 53
>
> If you want to redirect the requests to the local server, then you'll
> need to use the DNAT target instead. All you're doing in your rules is
> changing to port 53 a packet that is destined to port 53 (so nothing at
> all).
>
> Andy
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux