对不会发往特定服务器的 DNS 请求进行 DNATing。iptables:没有该名称的链/目标/匹配

对不会发往特定服务器的 DNS 请求进行 DNATing。iptables:没有该名称的链/目标/匹配

我创建了一些链iptables

iptables -N dns-requests
iptables -N wg0-filter

然后我创建一个过滤器,以传递端口 53 上的 DNS 流量。

iptables -A wg0-filter -p tcp --dport 53 -j dns-requests
iptables -A wg0-filter -p udp --dport 53 -j dns-requests

然后,我在链中制定了一些规则dns-requests

iptables -A dns-requests -d 208.67.220.220 -p tcp -j ACCEPT
iptables -A dns-requests -d 208.67.220.220 -p udp -j ACCEPT
iptables -A dns-requests -d 208.67.222.222 -p udp -j ACCEPT
iptables -A dns-requests -d 208.67.222.222 -p tcp -j ACCEPT
iptables -t nat -A dns-requests -p udp -j DNAT --to-destination 208.67.220.220:53
iptables -t nat -A dns-requests -p tcp -j DNAT --to-destination 208.67.222.222:53

基于上述内容,我想执行以下操作:

  • 发送208.67.220.220208.67.222.222应通过的DNS 请求
  • DNS 请求不是已发送208.67.220.220208.67.222.222应该DNAT申请,以便DNS请求到达208.67.220.220

我尝试了很多不同的命令,但都无法正常工作。我目前遇到的错误是:

iptables: No chain/target/match by that name.

当我跑步时:

iptables -t nat -A dns-requests -p udp -j DNAT --to-destination 208.67.220.220:53
iptables -t nat -A dns-requests -p tcp -j DNAT --to-destination 208.67.222.222:53

关于如何实现我的目标,有什么想法吗?

答案1

所有过滤都需要在 nat 表中完成,并在那里创建额外定义的链。

需要更多关于更大背景的信息,但这里是一次尝试,加载时没有错误,但我无法进一步测试它:

doug@s19:~/iptables/misc$ cat ask1433946
#!/bin/sh
FWVER=0.01
#
# ask1433946 Smythies 2022.10.05 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1433946
#
#       run as sudo on s19.
#
#       Note: These rules definately need to be merged with
#       some higher level rules that the OP did not post.

echo "Loading ask1433946 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
DESTU="208.67.220.220"
DESTT="208.67.222.222"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="UNKNOWN"
#DESTU="208.67.220.220"
#DESTT="208.67.222.222"
#UNIVERSE="0.0.0.0/0"

#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about OP's computer.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Delete user defined chains
$IPTABLES -t nat -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# Define tables in nat.
$IPTABLES -t nat -N wg0-filter
$IPTABLES -t nat -N dns-requests-u
$IPTABLES -t nat -N dns-requests-t

# wgo-filter rules
$IPTABLES -t nat -A wg0-filter -p tcp --dport 53 -j dns-requests-t
$IPTABLES -t nat -A wg0-filter -p udp --dport 53 -j dns-requests-u

# dns-requests rules
$IPTABLES -t nat -A dns-requests-t -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -j DNAT --to-destination $DESTT

$IPTABLES -t nat -A dns-requests-u -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -j DNAT --to-destination $DESTU

echo ask1433946 rule set version $FWVER done.

哪个加载良好:

$ doug@s19:~/iptables/misc$ sudo ./ask1433946
Loading ask1433946 rule set version 0.01..

Enabling forwarding...
  Clearing any existing rules and setting default policies..
ask1433946 rule set version 0.01 done.

给予:

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 120 packets, 8220 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 36 packets, 5876 bytes)
    pkts      bytes target     prot opt in     out     source               destination
doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 236 packets, 46387 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 47 packets, 2995 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain wg0-filter (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 dns-requests-t  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
       0        0 dns-requests-u  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

Chain dns-requests-u (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.220.220
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.222.222
       0        0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:208.67.220.220

Chain dns-requests-t (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.220.220
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.222.222
       0        0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:208.67.222.222

相关内容