How to migrate to the new firewall rules or is legacy iptables supported?

Hello community,

I am currently running 21.02 which is no longer stable, so I think I should update to the newest stable, but I have custom firewall rules setup...

They currently look like the following:

iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.125 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.125 -p tcp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i eth0.2 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i eth0.2 -p tcp --dport 53 -j REDIRECT

These rules are required for a safe consumption of Pi-Hole since then all port 53 requests surely go thru the Pi-Hole without middlemen/double hops etc.

My questions would be:

  1. Would be smart to upgrade to newest stable with keeping the configuration + everything (since that's an option when doing that)
  2. What about the firewall rules? Are the legacy rules still supported?

Cheers

You can create a similar rule through normal firewall configuration:

config redirect
        option target 'DNAT'
        option name 'DNS Intercept'
        option src 'lan'
        option src_dport '53'
        option src_ip '!192.168.1.125'

Are both br-lan and eth0.2 part of the lan zone?

1 Like

Thank you for your reply Dave.

Where should I input this config redirect...?

Yes, I'm pretty sure they are, since only in LAN the requests should get redirected. How do I check tho?

So I'm guessing the legacy iptables rules are no longer supported?..

1 Like

You would append that to the end of /etc/config/firewall.

If you would rather use the Luci interface, add a port forward rule like this:

For the “Source IP address” click the dropdown menu and type the negated entry into the custom box at the bottom of the dropdown.

1 Like

And you're 100% sure that this will have the same functionality?

Yes, for rules 1 & 2 in your OP. Maybe 99%.

1 Like

What about the other two?

Also, it is generally a good idea to upgrade from my version by keeping the configs?

As a suggestion - before upgrading:

  • If added to UCI, having iptables display the rules should show that it matches or is identical function.
  • You have just verified the correct UCI syntax is identical to the custom rule you made.

Then - after upgrading:

  • Just be be sure to use the UCI syntax.

I used this method for years to verify that an iptables rule matched the one produced by the UCI. Hope it helps.

Doesn't the dest have to be 192.168.1.125 or the lan zone though?

No, you just want any DNS query from the LAN source to be redirected to the router, is that not true?

No no, I want all DNS queries to have a guaranteed one hop path to 192.168.1.125, since that's my Pi-Hole...

Ok, then yes you would add 192.168.1.125 as “Internal IP” in the LuCI rule. The original iptables rules did not redirect to the PiHole, so that’s why I was confused.

Aah, ok.

The original iptables rules did not redirect to the PiHole, so that’s why I was confused.

Yikes, what did they do then? :open_mouth:

The -j REDIRECT without an IP would have redirected the packet to the machine where the rule was active, which would have been your router.

1 Like