Results 1 to 1 of 1

Thread: Iptables blocking access to DNS server

  1. #1
    Join Date
    Apr 2020
    Beans
    53

    Iptables blocking access to DNS server

    hi, i hv setup a OpenVPN with Pihole on a Raspberry pi running Ubuntu 20.04 64bit on my LAN. Everything works perfectly - i can connect to the vpn and pihole does it job filtering ads. i could even manually point other pc's DNS to the Raspberry IP address to use its Pihole ad blocking. Until i apply the iptables below:

    Then i could no longer use the Pihole if im not connected to the vpn. I try adding POSTROUTING from 192.168.1.13 to 10.8.0.1 but it hangs. Luckily could access to the Raspberry after cycle the power. Please advice on how we could use the Pihole's DNS even if we are not connected to the vpn.

    Raspberry Pi : 192.168.1.13
    OpenVPN TUN: 10.8.0.1

    Thank you.

    Code:
    # Generated by iptables-save v1.8.4 on Thu Jul 16 13:32:36 2020
    *mangle
    :PREROUTING ACCEPT [142:12092]
    :INPUT ACCEPT [142:12092]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [113:16556]
    :POSTROUTING ACCEPT [113:16556]
    COMMIT
    # Completed on Thu Jul 16 13:32:36 2020
    # Generated by iptables-save v1.8.4 on Thu Jul 16 13:32:36 2020
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 192.168.1.13
    COMMIT
    # Completed on Thu Jul 16 13:32:36 2020
    # Generated by iptables-save v1.8.4 on Thu Jul 16 13:32:36 2020
    *filter
    :INPUT DROP [3:108]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [113:16556]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A INPUT -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -i tun0 -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with tcp-reset
    -A INPUT -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i tun0 -o tun0 -j DROP
    -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    COMMIT
    # Completed on Thu Jul 16 13:32:36 2020
    Last edited by aboka; July 17th, 2020 at 11:22 AM.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •