1

I have a raspberry pi on which I'm planning to run 2 DNS-servers, both authoritative, one on port 53, and one on port 54. What I want is all except some traffic to go to the first one, and then all traffic with a certain IP, lets say 192.168.1.0/16 to go to the second one (which will forward any DNS entries it can't find to the first server).

Currently testing on a Ubuntu VM because it's a little easier to edit files that way.

I've already found some material on the subject but it makes no sense to me (like this and this) and some of the options being used look like they're not available to me. I'm not at all familiar with iptables so most of it looks like gibberish to me.

What I'm looking for is redirecting traffic from port A to port B if it's coming from certain IP addresses and some info on what the command or config actually does.

update:

I've tried to create some rules, I have no idea what I'm doing or why it's not working. This were the commands:

iptables -t nat -A PREROUTING -s 192.168.1.0/16 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:54
iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:54

The result looks like this:

root@Gelunox-Ubuntu-VM:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       udp  --  192.168.0.0/16       anywhere             udp dpt:domain to:127.0.0.1:53
DNAT       udp  --  anywhere             anywhere             udp dpt:domain to:127.0.0.1:54
DNAT       tcp  --  192.168.0.0/16       anywhere             tcp dpt:domain to:127.0.0.1:53
DNAT       tcp  --  anywhere             anywhere             tcp dpt:domain to:127.0.0.1:54
Gelunox
  • 121
  • 1
  • 6
  • You maybe check the DNAT in iptables (iptables -t nat -I PREROUTING -s 192.168.1.0/16 -p udp --dport 53 -j DNAT --to-destination X.X.X.X:54 ; iptables -t nat -I PREROUTING -s 192.168.1.0/16 -p tcp --dport 53 -j DNAT --to-destination X.X.X.X:54) or maybe better the "views" of Bind if you use it – Dom Oct 13 '18 at 18:58
  • @Dom I switched to dnsmasq because bind was eating too much ram – Gelunox Oct 13 '18 at 19:02

1 Answers1

0

after some more tinkering I came to this answer:

iptables -t nat -I PREROUTING 1 --source 192.168.1.0/24 -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING 2 --source 192.168.1.0/24 -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING 3 --source 0/0 -p udp --dport 53 -j REDIRECT --to-ports 54
iptables -t nat -I PREROUTING 4 --source 0/0 -p tcp --dport 53 -j REDIRECT --to-ports 54

as far as I can tell what happens here is all incoming traffic on port 53 is first matched with 192.168.1.0/24 and if it matches stays on port 53, if it doesn't match it'll get redirected to port 54.

the numbers after PREROUTING are "line numbers" to make sure the rules are in the correct order

Gelunox
  • 121
  • 1
  • 6