OpenWrt Forum Archive

Topic: help iptables rules for OpenDNS with ip exceptions

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have the below dilemma, my router TPLINK wdr3600 bb 14.07 have installed OpenDNS Parental Control:

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'
    option macaddr '00:11:22:33:44:56'
    option delegate '0'
    option peerdns '0'
    option dns '208.67.222.222 208.67.220.220'

and I want to leave my pc excluded from opendns using google:

DNS 1: 8.8.8.8
DNS 2: 8.8.4.4

the problem is that in the firewall.user there as:

iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53

and when I set this settings to exclude opendns in my pc, but is not working.

/ etc / config / dhcp
config mac
    networkId option 'chgdns'
    mac option '00: 11: 22: 33: 44: 55 '
    dhcp_option list '6,8.8.8.8,8.8.4.4'

if I delete settings firewall.user it works but then on any machine you can change the DNS and bypass the OpenDNS Parental control.

There is a way to only allow my pc without delete the firewall.user rule?

(Last edited by norman25 on 6 Jul 2015, 20:45)

bump

If your firewall configuration is redirecting any request to port 53 back into the router, then no machine can connect to any external DNS, even if you configure specific DNS servers on the DHCP; your special machine is trying to reach Google's DNS, but all requests are redirected to the router.

I guess you should exclude the IP address of that special machine from the fiirewall rules.

ok, i'm read the openwrt wiki and see can do it!!

thx

You can exclude forced dns redirection on machine(s) using (!) which means "not" in Linux and netmask... First make static lease to your PC machine(s). Then try:

iptables -t nat -I PREROUTING -i br0 -s !192.168.1.30/32 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br0 -s !192.168.1.30/32 -p tcp --dport 53 -j DNAT --to 208.67.222.222

This command will redirect all dns (tcp/upd 53) queris except for IP 192.168.1.30...

yeap after search serveral hours in google i find this:
http://serverfault.com/questions/307087 … xceptions#

iptables -t nat -I PREROUTING -i br0 -s 192.168.1.2 -j ACCEPT
iptables -t nat -I PREROUTING -i br0 -s 192.168.1.2 -p all --dport 53 -j ACCEPT

is very similar to yours but i try but not works :-(
and yes i'm using a static ip for the computer that need whitelisted

anyways there is my try:
iptables -t nat -I PREROUTING -i eth0.2 -s 192.168.1.110 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0.2 -s 192.168.1.110 -p all --dport 53 -j ACCEPT
your suggestion!!
iptables -t nat -I PREROUTING -i eth0.2 -s !192.168.1.110/32 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i eth0.2 -s !192.168.1.110/32 -p tcp --dport 53 -j DNAT --to 208.67.222.222
not works...
dammit i can't find a way to do...

(Last edited by norman25 on 7 Jul 2015, 17:29)

try it with space between ! and IP... like this

iptables -t nat -I PREROUTING -i eth0.2 -s ! 192.168.1.110/32 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i eth0.2 -s ! 192.168.1.110/32 -p tcp --dport 53 -j DNAT --to 208.67.222.222

or try it with MAC of your PC...

iptables -t nat -I PREROUTING -i eth0.2 -m mac ! --mac-source YOUR-MAC-ADDRESS-HERE -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i eth0.2 -m mac ! --mac-source YOUR-MAC-ADDRESS-HERE -p tcp --dport 53 -j DNAT --to 208.67.222.222

One thing... why don't you create "special" interface for people you want to be redirected to OpenDNS?

i got it!!!!
iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I PREROUTING -p tcp --dport 53 -s 192.168.1.110 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport 53 -s 192.168.1.110 -j ACCEPT
yesss!!!!
because opendns filter all devices connected to my router (kids has a lot of devices) and i only need to allow a one pc
than don't use opendns and use goolge or any other not filtered dns

thanks for you help!

(Last edited by norman25 on 2 Aug 2016, 04:02)

I like to resurrect this issue, because I have a very similar problem when using OpenDNS:

I created several VLAN zones, one of which is used by the kids, and one of which is used by my pc. I assigned different name servers to each of this zones:

config interface 'pc'
        option ifname 'eth0.1'
        option force_link '1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.10.1.1'
        option type 'bridge'
        option dns '208.67.222.222 208.67.220.220'

config interface 'kids'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option dns '208.67.220.123 208.67.222.123'
        option ipaddr '10.10.4.1'
        option ifname 'eth0.4'

As you can see, the kids use the fixed parental filter at OpenDSN, while my pc uses the configurable dns set. In the "dashboard" on OpenDNS.org I set the filtering level to "none", because I just want to make use of the faster DNS and I also set up the DynDNS, so that my individual network filtering configuration can be assigned. There are MAC filters, that prevent the kids machines to use any other networks than the one they are supposed to use. But there are no firewall rules yet, that block or redirect dns requests to any ip.

With this set up, I expected that the pc's dns requests would not be filtered, while the kids' requests would be filtered. I explicitly tried this, by calling an "adult site" from the kids' zone, and it was filtered. Great.

But to my big surprise, I recently tried to go to a page that deals with technical information about blu-ray players from my pc, and I was told that this page was blocked by OpenDNS, because it was categorized as porn.

Obviously, there is something wrong, either with OpenDNS, with OpenWRT, or with my understanding. If I was forced to bet my money on one, I would say it's most probably the latter one.

So, could some one please tell me what I am doing wrong there, or what else I have to do to achieve the desired effect?

(Last edited by _w_ on 12 Sep 2015, 11:09)

please post your  firewall.user config and any other related info... maybe i can help you

The discussion might have continued from here.