Why would he open the nameserver from the internet is beyond me, however it is security risk.
For the last time: REDIRECT forces the packets to the device itself.
Do this instead nslookup www.openwrt.org 8.8.8.8
You are using everywhere the prerouting_lan_rule which will not work with interfaces lan2 and iot in different firewall zones.
Moreover since your pihole is in lan2, the first rules which concern the zone of the pihole must be lan2.
Because the second anything else is hijacked concerns the other zones, which you have not carried in your config, you only use lan.
You should use the zone names.
Then you can change the destination IP that won't be hijacked. But I want them to go to pihole, hence I don't hijack pihole.
This is my exact config. Since you have also some other zones you need to apply the correct names and IPs.
In my case the Piholes are in lan zone with IPs 10.0.2.2 and 10.0.2.3. OpenWrt lan IP is 10.0.2.1
Change these things, along with the mac of the Pihole and you'll be fine.
# DNSHIJACKv4
# Log and hijack to Pihole
iptables -t nat -N dnshijack
#iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination 10.0.2.2
# allow Pihole to query internet
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 00:11:22:33:44:55 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 00:11:22:33:44:55 -p tcp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source AA:BB:CC:DD:EE:FF -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source AA:BB:CC:DD:EE:FF -p tcp --dport 53 -j ACCEPT
# allow queries to OpenWrt
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -d 10.0.2.1 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -d 10.0.2.1 -j ACCEPT
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# guest zone
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -d 10.0.2.3 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -d 10.0.2.3 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -j dnshijack
# iot zone
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -d 10.0.2.3 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -d 10.0.2.3 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE```
It looks like it's working, however one thing.
It seems like if I try to go test it by going on one of my devices, changing the DNS server to something like 1.1.1.1, 1.0.0.1 and trying to browse, it doesn't want to resolve anything. However switching my DNS server back to my Pihole IP works.
This seems like it's just blocking anything not going to the Pihole, instead of hijacking it and forcing it through the Pihole?
Does yours do this?
Also on a sidenote, do you also set your WAN interfaces to use the Pihole?
Interfaces > WAN > [Uncheck] Use DNS Servers Advertised By Peers > Use Custom DNS Servers [Pihole IP]
Oh, weird. My other zones don't want to resolve at all, but the one the Pihole is on does (besides what I said about manually changing the DNS of the client.)
# DNSHIJACKv4
# Log and hijack to Pihole
iptables -t nat -N dnshijack
#iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination PIHOLE_IP
# allow Pihole to query internet
iptables -t nat -A prerouting_lan2_rule -m mac --mac-source PIHOLE_MAC -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan2_rule -m mac --mac-source PIHOLE_MAC -p tcp --dport 53 -j ACCEPT
# allow queries to OpenWrt
iptables -t nat -A prerouting_lan2_rule -p tcp --dport 53 -d LAN2_IP -j ACCEPT
iptables -t nat -A prerouting_lan2_rule -p udp --dport 53 -d LAN2_IP -j ACCEPT
# anything else is hijacked
iptables -t nat -A prerouting_lan2_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan2_rule -p tcp --dport 53 -j dnshijack
# lan zone
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -d PIHOLE_IP -j ACCEPT
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -d PIHOLE_IP -j ACCEPT
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# iot zone
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -d PIHOLE_IP -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -d PIHOLE_IP -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d PIHOLE_IP -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d PIHOLE_IP -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
The correct is to set the Pihole as DNS on the LAN2, where it is reachable. And yes I have it like this.
You can run the rule in the 4th line which enables logging to verify what was sent to hijack chain.
For further troubleshooting provide the output of iptables-save -c
The point of assigning a DNS under an interface is to show from which interface it is reachable. The Pihole is in LAN2 interface, assign it only there.
That's right.
You don't need it if you have added the dns in interface.
Please post the iptables here, split in two posts if it is long.
The point of assigning a DNS under an interface is to show from which interface it is reachable.
I thought it was meant to assign which DNS servers that interface is meant to use for DNS resolution, I fail to see why this would matter if they're both set as the Pihole vs being empty, but ok.
And the DHCP-OPTIONS area was just what it sends to the clients when they connect DHCP correct?
So I just set it under LAN2, and then I should just leave the other VLANs using the Pihole empty?
DNS Forwardings
You don't need it if you have added the dns in interface.
Oh, ok.
Please post the iptables here
# Generated by iptables-save v1.8.3 on Tue Dec 15 2020
*nat
:PREROUTING ACCEPT [6241:657574]
:INPUT ACCEPT [101:6886]
:OUTPUT ACCEPT [496:35437]
:POSTROUTING ACCEPT [622:39774]
:dnshijack - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_iot_rule - [0:0]
:postrouting_lan2_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_iot_rule - [0:0]
:prerouting_lan2_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_iot_postrouting - [0:0]
:zone_iot_prerouting - [0:0]
:zone_lan2_postrouting - [0:0]
:zone_lan2_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[16141:1338959] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[11942:1068574] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1043:69864] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wlan1-3 -m comment --comment "!fw3" -j zone_guest_prerouting
[3156:200521] -A PREROUTING -i br-lan2 -m comment --comment "!fw3" -j zone_lan2_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan2_prerouting
[0:0] -A PREROUTING -i wlan1-2 -m comment --comment "!fw3" -j zone_iot_prerouting
[12260:853590] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[3:710] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[11636:813696] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wlan1-3 -m comment --comment "!fw3" -j zone_guest_postrouting
[569:35589] -A POSTROUTING -o br-lan2 -m comment --comment "!fw3" -j zone_lan2_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan2_postrouting
[0:0] -A POSTROUTING -o wlan1-2 -m comment --comment "!fw3" -j zone_iot_postrouting
[9117:630293] -A dnshijack -j DNAT --to-destination 192.160.10.5
[0:0] -A postrouting_lan_rule -d 192.160.10.5/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-
hole MASQUERADE" -j MASQUERADE
[0:0] -A postrouting_lan_rule -d 192.160.10.5/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-
hole MASQUERADE" -j MASQUERADE
[0:0] -A prerouting_iot_rule -d 192.160.10.5/32 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A prerouting_iot_rule -d 192.160.10.5/32 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A prerouting_iot_rule -p udp -m udp --dport 53 -j dnshijack
[0:0] -A prerouting_iot_rule -p tcp -m tcp --dport 53 -j dnshijack
[807:53204] -A prerouting_lan2_rule -p udp -m mac --mac-source REDACTED_PIHOLE_MAC -m udp --dport 53 -j ACCEPT
[2:128] -A prerouting_lan2_rule -p tcp -m mac --mac-source REDACTED_PIHOLE_MAC -m tcp --dport 53 -j ACCEPT
[0:0] -A prerouting_lan2_rule -d 192.160.10.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A prerouting_lan2_rule -d 192.160.10.1/32 -p udp -m udp --dport 53 -j ACCEPT
[203:13806] -A prerouting_lan2_rule -p udp -m udp --dport 53 -j dnshijack
[0:0] -A prerouting_lan2_rule -p tcp -m tcp --dport 53 -j dnshijack
[0:0] -A prerouting_lan_rule -d 192.160.10.5/32 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A prerouting_lan_rule -d 192.160.10.5/32 -p udp -m udp --dport 53 -j ACCEPT
[8914:616487] -A prerouting_lan_rule -p udp -m udp --dport 53 -j dnshijack
[0:0] -A prerouting_lan_rule -p tcp -m tcp --dport 53 -j dnshijack
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouti
ng_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_
guest_rule
[0:0] -A zone_iot_postrouting -m comment --comment "!fw3: Custom iot postrouting rule chain" -j postrouting_i
ot_rule
[0:0] -A zone_iot_prerouting -m comment --comment "!fw3: Custom iot prerouting rule chain" -j prerouting_iot_
rule
[569:35589] -A zone_lan2_postrouting -m comment --comment "!fw3: Custom lan2 postrouting rule chain" -j postr
outing_lan2_rule
[2:120] -A zone_lan2_postrouting -s 192.168.10.0/24 -d 192.168.10.5/32 -p tcp -m tcp --dport 443 -m comment -
-comment "!fw3: NGINX 443 (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan2_postrouting -s 192.168.0.0/24 -d 192.168.10.5/32 -p tcp -m tcp --dport 443 -m comment --co
mment "!fw3: NGINX 443 (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan2_postrouting -s 192.168.10.0/24 -d 192.168.10.5/32 -p tcp -m tcp --dport 80 -m comment --co
mment "!fw3: NGINX 80 (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan2_postrouting -s 192.168.0.0/24 -d 192.168.10.5/32 -p tcp -m tcp --dport 80 -m comment --com
ment "!fw3: NGINX 80 (reflection)" -j SNAT --to-source 192.168.0.1
[3156:200521] -A zone_lan2_prerouting -m comment --comment "!fw3: Custom lan2 prerouting rule chain" -j prero
uting_lan2_rule
[2:120] -A zone_lan2_prerouting -s 192.168.10.0/24 -d REDACTED_PUBLIC_IP/32 -p tcp -m tcp --dport 443 -m comment -
-comment "!fw3: NGINX 443 (reflection)" -j DNAT --to-destination 192.168.10.5:443
[0:0] -A zone_lan2_prerouting -s 192.168.0.0/24 -d REDACTED_PUBLIC_IP/32 -p tcp -m tcp --dport 443 -m comment --co
mment "!fw3: NGINX 443 (reflection)" -j DNAT --to-destination 192.168.10.5:443
[0:0] -A zone_lan2_prerouting -s 192.168.10.0/24 -d REDACTED_PUBLIC_IP/32 -p tcp -m tcp --dport 80 -m comment --co
mment "!fw3: NGINX 80 (reflection)" -j DNAT --to-destination 192.168.10.5:80
[0:0] -A zone_lan2_prerouting -s 192.168.0.0/24 -d REDACTED_PUBLIC_IP/32 -p tcp -m tcp --dport 80 -m comment --com
ment "!fw3: NGINX 80 (reflection)" -j DNAT --to-destination 192.168.10.5:80
[3:710] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting
_lan_rule
[11942:1068574] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prero
uting_lan_rule
[11636:813696] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[11636:813696] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1043:69864] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouti
ng_wan_rule
[6:240] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: NGINX 443" -j DNAT --to-
destination 192.168.10.5:443
[12:520] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: NGINX 80" -j DNAT --to-d
estination 192.168.10.5:80
COMMIT
# Completed on Tue Dec 15 12:36:12 2020
# Generated by iptables-save v1.8.3 on Tue Dec 15 12:36:12 2020
*mangle
:PREROUTING ACCEPT [86247:10830348]
:INPUT ACCEPT [8849:2686557]
:FORWARD ACCEPT [74939:7740231]
:OUTPUT ACCEPT [7255:2794642]
:POSTROUTING ACCEPT [81269:10486087]
[1917:105756] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan
MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1028:58916] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan
MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Dec 15 12:36:12 2020
# Generated by iptables-save v1.8.3 on Tue Dec 15 12:36:12 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [762:39792]
:OUTPUT DROP [0:0]
:banIP - [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_iot_rule - [0:0]
:forwarding_lan2_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_iot_rule - [0:0]
:input_lan2_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_iot_rule - [0:0]
:output_lan2_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_DROP - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_DROP - [0:0]
:zone_iot_dest_DROP - [0:0]
:zone_iot_forward - [0:0]
:zone_iot_input - [0:0]
:zone_iot_output - [0:0]
:zone_iot_src_DROP - [0:0]
:zone_lan2_dest_ACCEPT - [0:0]
:zone_lan2_dest_DROP - [0:0]
:zone_lan2_forward - [0:0]
:zone_lan2_input - [0:0]
:zone_lan2_output - [0:0]
:zone_lan2_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
[950:89926] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[7899:2596631] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6393:2498177] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[363:21072] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[787:33320] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[77:6109] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1025:69104] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan1-3 -m comment --comment "!fw3" -j zone_guest_input
[41:2169] -A INPUT -i br-lan2 -m comment --comment "!fw3" -j zone_lan2_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan2_input
[0:0] -A INPUT -i wlan1-2 -m comment --comment "!fw3" -j zone_iot_input
[74939:7740231] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[30204:4696078] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,EST
ABLISHED -j FLOWOFFLOAD --hw
[30204:4696078] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[129:7178] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[40124:2755079] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[18:816] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan1-3 -m comment --comment "!fw3" -j zone_guest_forward
[4464:281080] -A FORWARD -i br-lan2 -m comment --comment "!fw3" -j zone_lan2_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan2_forward
[0:0] -A FORWARD -i wlan1-2 -m comment --comment "!fw3" -j zone_iot_forward
[950:89926] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[6301:2704364] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[5607:2655780] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[5:1366] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[317:22983] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wlan1-3 -m comment --comment "!fw3" -j zone_guest_output
[372:24235] -A OUTPUT -o br-lan2 -m comment --comment "!fw3" -j zone_lan2_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan2_output
[0:0] -A OUTPUT -o wlan1-2 -m comment --comment "!fw3" -j zone_iot_output
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set whitelist dst -j RETURN
[0:0] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set whitelist src -j RETURN
[367:14795] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set threat src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set threat dst -j REJECT --reject-with icm
p-port-unreachable
[0:0] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set sslbl src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set sslbl dst -j REJECT --reject-with icmp
-port-unreachable
[0:0] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set yoyo src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set yoyo dst -j REJECT --reject-with icmp-
port-unreachable
[24:1101] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set debl src -j DROP
[39:5884] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set dshield src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set dshield dst -j REJECT --reject-with ic
mp-port-unreachable
[0:0] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set drop src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set drop dst -j REJECT --reject-with icmp-
port-unreachable
[0:0] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set edrop src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set edrop dst -j REJECT --reject-with icmp
-port-unreachable
[9:360] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set firehol1 src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set firehol1 dst -j REJECT --reject-with i
cmp-port-unreachable
[22:1495] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set firehol2 src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set firehol2 dst -j REJECT --reject-with i
cmp-port-unreachable
[242:14218] -A banIP -i eth0.2 -m conntrack --ctstate NEW -m set --match-set firehol3 src -j DROP
[0:0] -A banIP -o eth0.2 -m conntrack --ctstate NEW -m set --match-set firehol3 dst -j REJECT --reject-with i
cmp-port-unreachable
[40124:2755079] -A forwarding_lan_rule -j banIP
[18:816] -A forwarding_wan_rule -j banIP
[4:1321] -A input_lan_rule -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
[73:4788] -A input_lan_rule -j banIP
[0:0] -A input_wan_rule -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
[1025:69104] -A input_wan_rule -j banIP
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[787:33320] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst
50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o wlan1-3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_DROP -o wlan1-3 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_gue
st_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest
_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j
ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_DROP
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -
j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_DROP
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_DROP -i wlan1-3 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_iot_dest_DROP -o wlan1-2 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_iot_forward -m comment --comment "!fw3: Custom iot forwarding rule chain" -j forwarding_iot_rul
e
[0:0] -A zone_iot_forward -d 192.168.10.5/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: IOT DNS" -j
zone_lan2_dest_ACCEPT
[0:0] -A zone_iot_forward -m comment --comment "!fw3: Zone iot to wan forwarding policy" -j zone_wan_dest_ACC
EPT
[0:0] -A zone_iot_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j AC
CEPT
[0:0] -A zone_iot_forward -m comment --comment "!fw3" -j zone_iot_dest_DROP
[0:0] -A zone_iot_input -m comment --comment "!fw3: Custom iot input rule chain" -j input_iot_rule
[0:0] -A zone_iot_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: IOT DHCP" -j ACCEPT
[0:0] -A zone_iot_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j
ACCEPT
[0:0] -A zone_iot_input -m comment --comment "!fw3" -j zone_iot_src_DROP
[0:0] -A zone_iot_output -m comment --comment "!fw3: Custom iot output rule chain" -j output_iot_rule
[0:0] -A zone_iot_output -m comment --comment "!fw3" -j zone_iot_dest_DROP
[0:0] -A zone_iot_src_DROP -i wlan1-2 -m comment --comment "!fw3" -j DROP
[830:56815] -A zone_lan2_dest_ACCEPT -o br-lan2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan2_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan2_dest_DROP -o br-lan2 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan2_dest_DROP -o wg0 -m comment --comment "!fw3" -j DROP
[4464:281080] -A zone_lan2_forward -m comment --comment "!fw3: Custom lan2 forwarding rule chain" -j forwardi
ng_lan2_rule
[4464:281080] -A zone_lan2_forward -m comment --comment "!fw3: Zone lan2 to wan forwarding policy" -j zone_wa
n_dest_ACCEPT
[2:120] -A zone_lan2_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j
ACCEPT
[758:39416] -A zone_lan2_forward -m comment --comment "!fw3" -j zone_lan2_dest_DROP
[41:2169] -A zone_lan2_input -m comment --comment "!fw3: Custom lan2 input rule chain" -j input_lan2_rule
[0:0] -A zone_lan2_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: LAN2 DHCP" -j ACCEPT
[0:0] -A zone_lan2_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j
ACCEPT
[41:2169] -A zone_lan2_input -m comment --comment "!fw3" -j zone_lan2_src_ACCEPT
[372:24235] -A zone_lan2_output -m comment --comment "!fw3: Custom lan2 output rule chain" -j output_lan2_rul
e
[372:24235] -A zone_lan2_output -m comment --comment "!fw3" -j zone_lan2_dest_ACCEPT
[41:2169] -A zone_lan2_src_ACCEPT -i br-lan2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan2_src_ACCEPT -i wg0 -m comment --comment "!fw3" -j ACCEPT
[5:1366] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[40124:2755079] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwardi
ng_lan_rule
[0:0] -A zone_lan_forward -d 192.168.10.5/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: LAN to LAN2
DNS" -j zone_lan2_dest_ACCEPT
[0:0] -A zone_lan_forward -d 192.168.10.5/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: LAN to LAN2
DNS" -j zone_lan2_dest_ACCEPT
[458:32580] -A zone_lan_forward -d 192.168.10.17/32 -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: LA
N to Jellyfin 8096" -j zone_lan2_dest_ACCEPT
[0:0] -A zone_lan_forward -d 192.168.10.17/32 -p udp -m udp --dport 8096 -m comment --comment "!fw3: LAN to J
ellyfin 8096" -j zone_lan2_dest_ACCEPT
[0:0] -A zone_lan_forward -d 192.168.10.17/32 -p tcp -m tcp --dport 8920 -m comment --comment "!fw3: LAN to J
ellyfin 8920" -j zone_lan2_dest_ACCEPT
[0:0] -A zone_lan_forward -d 192.168.10.17/32 -p udp -m udp --dport 8920 -m comment --comment "!fw3: LAN to J
ellyfin 8920" -j zone_lan2_dest_ACCEPT
[0:0] -A zone_lan_forward -d 192.168.10.17/32 -p udp -m udp --dport 7859 -m comment --comment "!fw3: LAN to Jellyfin 7859" -j zone_lan2_dest_ACCEPT
[39666:2722499] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wa
n_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j AC
CEPT
[21:1260] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_DROP
[77:6109] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j
ACCEPT
[77:6109] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5:1366] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5:1366] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[77:6109] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NA
T leakage" -j DROP
[43666:2985766] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth0.2 -m comment --comment "!fw3" -j DROP
[18:816] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_
rule
[5:236] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j
ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
[1025:69104] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j
ACCEPT
[335:31831] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[317:22983] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[317:22983] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[335:31831] -A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Tue Dec 15 2020
As it is, your resolver is the dnsmasq ( check /etc/resolv.conf)
What you do with configuring DNS under interfaces is to inform dnsmasq which nameservers are available on every interface. Dnsmasq combines the available nameservers from the interfaces which are up to resolve. So there is no point to add the same nameserver under interfaces where is not reachable.
Regarding the iptables, iot and guest don't have any hits, so no packet reached the router from those zones.
203 packets from lan2 and 8914 from lan were hijacked [203:13806] -A prerouting_lan2_rule -p udp -m udp --dport 53 -j dnshijack [8914:616487] -A prerouting_lan_rule -p udp -m udp --dport 53 -j dnshijack
However you have a typo and you are sending to the wrong IP 192.160.10.5
What you do with configuring DNS under interfaces is to inform dnsmasq which nameservers are available on every interface.
Ah okay that makes sense.
Regarding the iptables, iot and guest don't have any hits, so no packet reached the router from those zones.
I don't have any connections on guest, and IOT is still set to drop everything at this time. I only added them into the custom rules so I don't have to do it later.
However you have a typo and you are sending to the wrong IP 192.160.10.5
Oh tf, can't believe I missed that. I did that on all the lines it looks like.
Looks to all be working now. I'll give it a day and see how it does.
Did we conclude in this current setup the DNS forwardings from all the lans on the Pihole aren't possible? or is?
If so, do I just set it to the interface the Pihole is on?
