Iptables rule problem of the DNS redirect

MattQ · July 22, 2022, 4:03am

We set the iptables rule to redirect any website to gateway ip(192.168.1.1) when Internet unavailable.
We set the iptables rules as below:

iptables -C input_lan_rule -p tcp -m tcp --dport 9999 -j ACCEPT || iptables -I input_lan_rule -p tcp -m tcp --dport 9999 -j ACCEPT

iptables -t nat -C PREROUTING -p tcp --dport 53 -j DNAT --to-destination 192.168.1.1:9999 || iptables -t nat -I PREROUTING -p tcp --dport 53 -j DNAT --to-destination 192.168.1.1:9999

iptables -t nat -C PREROUTING -p udp --dport 53 -j DNAT --to-destination 192.168.1.1:9999 || iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to-destination 192.168.1.1:9999

iptables -t nat -C PREROUTING -i bridge0 -p tcp -m multiport --dports 80 -j DNAT --to-destination 192.168.1.1:80 || iptables -t nat -A PREROUTING -i bridge0 -p tcp -m multiport --dports 80 -j DNAT --to-destination 192.168.1.1:80

/usr/bin/dnsmasq -k -x /tmp/dnsmasq-quanta.pid --port=9999 --address=/#/192.168.1.1 &

But there is a problem, when plugging in USB cable, it will popup web page to www.msftconnecttest.com/redirect automatically.

Is there any suggestion to avoid the behavior(popup web page when plugging in USB cable).

Thanks

frollic · July 22, 2022, 6:35am

Disable the feature via the registry?

Add www.msftconnecttest.com to your own DNS and redirect?

Ask Microsoft?

MattQ · July 22, 2022, 7:07am

Hi frollic,
There is a similar product (redirect all website the user try to connect to 192.168.1.1 when the internet is unavailable), but this product does not have this kind of problem(pop-up page when plugging USB cable).

is there any dnsmasq related setting I need to add in order to avoid this kind of problem?
or other suggestions?

Thanks

frollic · July 22, 2022, 7:29am

Depends on what you want to achieve...

The other product might fake the Microsoft site, so the popup never emerges.

MattQ · July 22, 2022, 9:28am

set nat table PREROUTING to route port num 53(DNS) to 192.168.1.1
if I want to drop the destination "www.msftconnecttest.com/redirect", how to set the iptables rule?

Thanks

MattQ · July 22, 2022, 10:55am

there are some dnsmasq parameter settings, is it possible to avoid pop-pop webpage by the following parameter?

--conf-file
--dhcp-leasefile
--addn-hosts
--interface
-except-interface
--no-dhcp-interface
--dhcp-option-force

Thanks

frollic · July 22, 2022, 11:05am

Set your DNS to resolve that Microsoft domain to 0.0.0.0.

Or drop/redirect the IPs of that FQDN in your firewall.

MattQ · July 23, 2022, 4:35am

Hi frollic,
Thanks for your kind reply.
Could you tell me more detail, any example code/config?

Thanks

MattQ · July 29, 2022, 3:07am

Hi frollic,
if I add the following command, when I pluggin USB cable, there is no pop up webpage
but if I pluggin USB cable, then turn off/on NB wifi, it will pop up webpage again.
any suggestion?

iptables -t mangle -A PREROUTING -m string --algo bm --string "www.msftconnecttest.com" -j DROP

Thanks