Posted: Tue May 24, 2016 9:34 Post subject: Client-Specific DNS restrictions using IPTables
Hi There,
After reading some of the questions and tutorials regarding IPtables and routing, I'd appreciate your help regarding this issue:
I'm trying to force specific restrictions on my Roku device, which is connected (wired) to my DD-WRT router and has a static IP, while not affecting the rest of my network (mostly wireless connected devices).
What I need is to: 1. Force Roku to use a specific DNS address (btw - is it possible to give it both a primary AND a secondary DNS to use?) 2. Reject Roku's requests to Google DNS (8.8.8.8 and 8.8.4.4).
This is the command i'm currently using - IT WORKS, but it affects the entire network:
iptables -t nat -I PREROUTING -i br0 -s 192.XXX.XX.XXX (**ROKU'S STATIC IP ADDRESS**)/25 -p udp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
iptables -t nat -I PREROUTING -i br0 -s 192.XXX.XX.XXX (**ROKU'S STATIC IP ADDRESS**)*/25 -p tcp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
This is how i'm trying to block Google DNS - currently doesn't work so had to remove it:
iptables -I FORWARD -d 192.XXX.XX.XXX (**ROKU'S STATIC IP ADDRESS**)$(nvram get lan_netmask) 8.8.8.8 -j REJECT
iptables -I FORWARD -d 192.XXX.XX.XXX (**ROKU'S STATIC IP ADDRESS**)/$(nvram get lan_netmask) 8.8.4.4 -j REJECT
Notice I used -S for the first one (subnet) and -D for the second one - not sure what's the correct way to do this. I also tried to get the lan_netmask in the second one but I'm probably doing this wrong.
Would love to hear what you guys think and how this can be done more wisely.
I do the exact same thing with my Chrome cast. You only need the first two iptables rules that use prerouting on Nat. Remove the /25 after your Roku ip. This /25 tells the router to apply your rule to a range of ip addresses (google "netmask CIDR notation"), hence why your network is affected. I believe you don't need the -i br0 either as you are giving a specific ip already.
iptables -t nat -I PREROUTING -s (**192...ROKU'S STATIC IP ADDRESS**) -p udp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
iptables -t nat -I PREROUTING -s (**192...ROKU'S STATIC IP ADDRESS**) -p tcp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
You are redirecting all DNS traffic (port 53) from your Roku to wherever you want. It doesn't matter where it was going originally -- Google DNS or anywhere else.
To redirect for all your network, you can just do:
Code:
iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
iptables -t nat -I PREROUTING -p tcp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
By omitting a source IP, you are being less restrictive so the router will now redirect ALL dns requests. I haven't tested this, though. In theory it should work! You could also redirect to your router (put in the IP address of your router in **DNS I WANT TO USE**.
To redirect spefically for Google DNS, I believe this should do it:
Code:
iptables -t nat -I PREROUTING -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
iptables -t nat -I PREROUTING -d 8.8.8.8 -p tcp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
iptables -t nat -I PREROUTING -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
iptables -t nat -I PREROUTING -d 8.8.4.4 -p tcp --dport 53 -j DNAT --to 95.141.XX.XXX (**DNS I WANT TO USE**)
Again, untested by me! This should intercept only DNS traffic headed for Google's servers (-d is destination switch) and redirect wherever you want.