[Solved] Block and redirect DNS to pi-hole [nftables]

eliaspolicena · August 28, 2022, 11:06pm

So, openwrt 22.03 is about to go stable, and we have to move from iptables to nftables.

I have a setup similar to what is described in this thread - I have 5 raspberry pi 4b, and I have installed pi-hole in two of them.

This way, until now, I was using something similar to this (I have copied this code from that thread):

#
# DNSHIJACKv4
# Log and hijack to Pihole
iptables -t nat -N dnshijack
iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4 "
iptables -t nat -A dnshijack -j DNAT --to-destination 10.0.2.2
# allow Pihole to query internet
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 00:11:22:33:44:55 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source 00:11:22:33:44:55 -p tcp --dport 53 -j ACCEPT
# allow queries to OpenWrt
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -d 10.0.2.1 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -d 10.0.2.1 -j ACCEPT
# anything else is hijacked
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# other zones
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_guest_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_guest_rule -p tcp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -d 10.0.2.2 -j ACCEPT
iptables -t nat -A prerouting_iot_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_iot_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
iptables -t nat -A postrouting_lan_rule -d 10.0.2.2 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE



#
# DNSHIJACKv6
# Log and send to Pihole
ip6tables -t nat -N dnshijack
ip6tables -t nat -I dnshijack -j LOG --log-prefix "dnshijack6 "
ip6tables -t nat -A dnshijack -j DNAT --to-destination fd00:bbbb::2
# allow to ask OpenWrt
ip6tables -t nat -A prerouting_lan_rule -p tcp --dport 53 -d fd00:bbbb::1 -j ACCEPT
ip6tables -t nat -A prerouting_lan_rule -p udp --dport 53 -d fd00:bbbb::1 -j ACCEPT
# allow Pihole to query internet
ip6tables -t nat -A prerouting_lan_rule -m mac --mac-source 00:11:22:33:44:55 -p udp --dport 53 -j ACCEPT
ip6tables -t nat -A prerouting_lan_rule -m mac --mac-source 00:11:22:33:44:55 -p tcp --dport 53 -j ACCEPT
# anything else goes to hijack
ip6tables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
ip6tables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
# other zones
ip6tables -t nat -A prerouting_guest_rule -p tcp --dport 53 -d fd00:bbbb::2 -j ACCEPT
ip6tables -t nat -A prerouting_guest_rule -p udp --dport 53 -d fd00:bbbb::2 -j ACCEPT
ip6tables -t nat -A prerouting_guest_rule -p udp --dport 53 -j dnshijack
ip6tables -t nat -A prerouting_guest_rule -p tcp --dport 53 -j dnshijack
ip6tables -t nat -A prerouting_iot_rule -p tcp --dport 53 -d fd00:bbbb::2 -j ACCEPT
ip6tables -t nat -A prerouting_iot_rule -p udp --dport 53 -d fd00:bbbb::2 -j ACCEPT
ip6tables -t nat -A prerouting_iot_rule -p udp --dport 53 -j dnshijack
ip6tables -t nat -A prerouting_iot_rule -p tcp --dport 53 -j dnshijack
# fix "reply from unexpected source"
ip6tables -t nat -A postrouting_lan_rule -d fd00:bbbb::2 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE
ip6tables -t nat -A postrouting_lan_rule -d fd00:bbbb::2 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DNS Pi-hole MASQUERADE" -j MASQUERADE

My question is how can I migrate these rules from iptables to nftables format?

I have noted that luci does not have that "Custom rules" section under "Network -> Firewall", how could one include custom configuration in new versions?
If possible, I would like also to do not modify the image, or add new packages, just to use only nftables.

So, in short, how to block dns in lan, except two mac address, that are not the router mac address, and masquerade response, using the new nftables firewall?

trendy · August 29, 2022, 3:13am

There are iptables to nftables rule converters out there to help.
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

bluewavenet · August 29, 2022, 5:44pm

As @trendy says there are converters available.
But you can also just install iptables-nft (and ip6tables-nft if required) and continue to use iptables commands.

eliaspolicena · August 30, 2022, 12:02pm

Many thanks, that worked for me!
I have first to export iptables rules from my current setup. After that, I have sanitized the file, to have only that blocking, forwarding and masquerading rules.
After doing it, I have used that iptables-restore-translate, as @trendy pointed, and I got a working file, that I can now import under new OpenWrt versions.
I didn't tried installing iptables-nft packages, but I thanks for that too @bluewavenet, let it be my backup method if anything goes wrong with the new rules file.
Thank you all!

system · September 9, 2022, 12:03pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.