On Fri, 2013-02-15 at 11:46 -0500, John Corps wrote: > >> What I want to do is if > >> they set there own DNS, redirect them anyways back to the internal > >> DNS. Here are the only 2 rules I have tried but they do not work at > >> all, maybe i am missing something? Any help would be greatly > >> appreciated! > >> > >> iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport > >> 53 -j REDIRECT --to-ports 53 > >> iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport > >> 53 -j REDIRECT --to-ports 53 > > > > If you want to redirect the requests to the local server, then you'll > > need to use the DNAT target instead. All you're doing in your rules is > > changing to port 53 a packet that is destined to port 53 (so nothing at > > all). > > Tried this... and same result, page not displayed. Keep in mind these > are the only rules I have for iptables, do I need any other ones? [ Please don't top-post ] > iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT > --to-destination 192.168.1.2:53 > iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT > --to-destination 192.168.1.2:53 It probably won't matter, but I would add the interface or source IP addresses, in order to only match packets from your local network. These 2 rules alone should work. To debug, I would change the target to LOG and check that the packets are being matched successfully. > iptables -t nat -A PREROUTING -p tcp --sport 53 -j DNAT > --to-destination 192.168.1.2:53 > iptables -t nat -A PREROUTING -p tcp --sport 53 -j DNAT > --to-destination 192.168.1.2:53 You don't need these. They may be messing up the packets being sent from the external DNS server. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
