Costomized firewall rule based on domain name won't work after reboot

In order to let devices that connected to guest WiFi ( be able to access local vpn server, I wrote a customized rule as follow:

iptables -t nat -I PREROUTING -i br-guest -p tcp --dport 443 -d -j DNAT --to

which works well after restart firewall. But it won't sustain a reboot of my OpenWRT router, since this rule will be loaded before a DNS server available.

Is there a way to let this rule take effect after a proper DNS server is functional? How do I do that?

Edit: The domain name is pointing to the ip address got from the ISP.

The best way to do this would be to create a hotplug script in /etc/hotplug.d/iface/99-myiptablerule (or some similar name)

[ "$ACTION" == "ifup" ] && [ "$DEVICE" == "wan" ] &&  /etc/

The rule will get added the moment the wan interface comes up and your dns will of course then be available to resolve queries.

NOTE: this hotplug script will be called whenever the network settings get changed, so you probably need to put in a rule in your script first to delete the rule you added. If you don't do this, it's possible you'll get multiple copies of the rule added whenever the network config gets changed

If I understand you correctly, though, the is actually the IP address of your wan interface, in which case you could use something like $(uci get network.wan.ipaddr) in the rule to add it instead of using a dns canonical name, which is super inefficient and will force multiple dns lookups and is generally a bad idea. But then again, not sure if I understand you correctly since that type of redirection seems a little odd - it would be better to redirect from a fixed internal IP rather than the wan ip.

1 Like

Yeah, that is actually my wan ip. However, I just don't know how to put the correct whatever command in a customized rule. Tried every way but still restart firewall result in failure.

Edit: Thank you a lot for the hint. I found in an old thread and got the solution:

iptables -t nat -I PREROUTING -i br-guest -p tcp --dport 443 -d $(. /lib/functions/; network_find_wan NET_IF; network_get_ipaddr NET_ADDR "${NET_IF}"; echo "${NET_ADDR}") -j DNAT --to-destination

for the record in case someone else might need in similar situations.

Just noticed with my customized rule, the connection of my vpn client connected to the local vpn server is ipv6 instead of ipv4 as it supposed to be.

tcp6       0      0      ESTABLISHED

Any idea why?

The command I gave you in the reply above

$(uci get network.wan.ipaddr)

is much shorter and more readable than the very verbose one you quoted, so it would read

iptables -t nat -I PREROUTING -i br-guest -p tcp --dport 443 -d $(uci get network.wan.ipaddr) -j DNAT --to-destination

Given that these clients are on your private guest lan, I still don't see why you are connecting them to the wan interface and using the redirection on your wan interface? This seems odd and potentially a security risk unless you've got the vpn server running on your wan interface anyway because you need access from outside.

But even if this is the case, you can still tell your guest lan clients to connect to an internal IP instead. Just redirect from the br-guest ip.

So, assuming your guest br-lan IP address is, you'd use something like

iptables -t nat -I PREROUTING -i br-guest -p tcp --dport 443 -j DNAT --to-destination

instead and then you don't need a hotplug-based rule. You could just put the rule in etc/firewall.user

Those two endpoint addresses are ipv4 addresses, not ipv6 addresses and the connection is actually ipv4. It happens because the server is listening on a AF_INET6 socket which can accept both ipv4 and ipv6 connections

See here for an explanation: Why are IPv4 TCP connections showing as tcp6?

Actually I have tried using uci but failed. It probably because what I am using is master branch compiled.

There would be no further security risks since the vpn service is also open to wan. The purpose for the customized rule is for me to access the vpn service both in home with local network or at other places with outside network, without changing the settings on the vpn client side.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.