How to drop dns packet in nat?
My conputer with ubuntu share internet connection with NAT (internet eth0, ip 1.2.3.4 and LAN eth2, ip 192.168.0.1/16).
I want to use my own dnsmasq service on this ubuntu and deny all requests to other dns servers in internet from LAN.
How can i configure this in iptables?
Now my iptables allow all from all and masquerade traffic from eth2 to eth0 (internet).
SOLUTION: Add to iptables macquerade only to ports 80 and 443, but not 53 (or some other else).
iptables
asked Feb 25 at 14:05
AlexeyAlexey
1012
add a comment |
My conputer with ubuntu share internet connection with NAT (internet eth0, ip 1.2.3.4 and LAN eth2, ip 192.168.0.1/16).
I want to use my own dnsmasq service on this ubuntu and deny all requests to other dns servers in internet from LAN.
How can i configure this in iptables?
Now my iptables allow all from all and masquerade traffic from eth2 to eth0 (internet).
SOLUTION: Add to iptables macquerade only to ports 80 and 443, but not 53 (or some other else).
iptables
asked Feb 25 at 14:05
AlexeyAlexey
1012
In many circumstances when using NAT it's better to allow all ports to masquerade except ones you specifically want to block, rather than only allowing say 80 and 443, as that would block a lot of useful services. But I don't know your situation.
– thomasrutter
Feb 27 at 5:37
add a comment |
My conputer with ubuntu share internet connection with NAT (internet eth0, ip 1.2.3.4 and LAN eth2, ip 192.168.0.1/16).
I want to use my own dnsmasq service on this ubuntu and deny all requests to other dns servers in internet from LAN.
How can i configure this in iptables?
Now my iptables allow all from all and masquerade traffic from eth2 to eth0 (internet).
SOLUTION: Add to iptables macquerade only to ports 80 and 443, but not 53 (or some other else).
iptables
asked Feb 25 at 14:05
AlexeyAlexey
1012
My conputer with ubuntu share internet connection with NAT (internet eth0, ip 1.2.3.4 and LAN eth2, ip 192.168.0.1/16).
I want to use my own dnsmasq service on this ubuntu and deny all requests to other dns servers in internet from LAN.
How can i configure this in iptables?
Now my iptables allow all from all and masquerade traffic from eth2 to eth0 (internet).
SOLUTION: Add to iptables macquerade only to ports 80 and 443, but not 53 (or some other else).
iptables
iptables
asked Feb 25 at 14:05
AlexeyAlexey
1012
asked Feb 25 at 14:05
AlexeyAlexey
1012
edited Feb 27 at 5:33
Alexey
asked Feb 25 at 14:05
AlexeyAlexey
1012
asked Feb 25 at 14:05
AlexeyAlexey
1012
asked Feb 25 at 14:05
AlexeyAlexey
1012
1012
In many circumstances when using NAT it's better to allow all ports to masquerade except ones you specifically want to block, rather than only allowing say 80 and 443, as that would block a lot of useful services. But I don't know your situation.
– thomasrutter
Feb 27 at 5:37
add a comment |
In many circumstances when using NAT it's better to allow all ports to masquerade except ones you specifically want to block, rather than only allowing say 80 and 443, as that would block a lot of useful services. But I don't know your situation.
– thomasrutter
Feb 27 at 5:37
In many circumstances when using NAT it's better to allow all ports to masquerade except ones you specifically want to block, rather than only allowing say 80 and 443, as that would block a lot of useful services. But I don't know your situation.
– thomasrutter
Feb 27 at 5:37
In many circumstances when using NAT it's better to allow all ports to masquerade except ones you specifically want to block, rather than only allowing say 80 and 443, as that would block a lot of useful services. But I don't know your situation.
– thomasrutter
Feb 27 at 5:37
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1121136%2fhow-to-drop-dns-packet-in-nat%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1121136%2fhow-to-drop-dns-packet-in-nat%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
In many circumstances when using NAT it's better to allow all ports to masquerade except ones you specifically want to block, rather than only allowing say 80 and 443, as that would block a lot of useful services. But I don't know your situation.
– thomasrutter
Feb 27 at 5:37