Discussion:
[Shorewall-users] REJECT precedence over REDIRECT rules
Guilsson .
2017-02-21 01:07:13 UTC
Permalink
HI,

I have these rules on my FW:

# ---
REJECT:info loc net:8.8.8.8,8.8.4.4 udp domain
#
REDIRECT:info loc 54 udp domain
# ---

Goal:
If a DNS packet from my LAN tries to goto to 8.8.8.8 I want to REJECT it.
If a DNS packet from my LAN tries to goto to 4.4.2.2 I want to REDIRECT it
to my Bind daemon listening on port 54.

I looked "shorewall dump" and the rules are there.

But...
If only the REJECT is enabled, works fine.
if only the REDIRECT is enabled, works fine.
If I left both enabled, only REDIRECT rules is enforced.

Any clue how to get all these rules works like I need ?

-Guilsson
Benny Pedersen
2017-02-21 02:17:34 UTC
Permalink
Post by Guilsson .
Any clue how to get all these rules works like I need ?
dns is port 53

on top of that you miss tcp since dns is both udp and tcp

and for the enforce use my dns server, check shorewall config for how to
enforce squid proxy on lan

same rules apply for dns (DNAT squid/dns)

or make it more simple with a local dhcp server that tells the ip of
your local dns server
Guilsson .
2017-02-21 11:16:21 UTC
Permalink
Post by Benny Pedersen
Post by Guilsson .
Any clue how to get all these rules works like I need ?
dns is port 53
I know.
In my named.conf:
listen-on port 53 { any; };
listen-on port 54 { any; };
Post by Benny Pedersen
on top of that you miss tcp since dns is both udp and tcp
For the sake of simplicity in this questionI just post 2 lines of my rules:
#
REJECT:info loc net:8.8.8.8,8.8.4.4 tcp domain
REJECT:info loc net:8.8.8.8,8.8.4.4 udp domain
#
REDIRECT:info loc 54 udp domain
REDIRECT:info loc 54 tcp domain
#
Post by Benny Pedersen
and for the enforce use my dns server, check shorewall config for how to
enforce squid proxy on lan
same rules apply for dns (DNAT squid/dns)
Sure. The redirect above is exactly the same as for Squid.
Post by Benny Pedersen
or make it more simple with a local dhcp server that tells the ip of
your local dns server
All devices on my Lan uses my DNS Bind for resolver.
My goal is intercept devices who does not obey my dhcpd settings like my
Chromwcast and Nexus Player from Google. They insist to use 8.8.8.8 and
8.8.4.4 as they primary DNS server.

Anyway, my question is not about dhcp and/or dns stuff.
It's about making the REJECT rules take precedence over REDIRECT rules.

Any clue ?
Tom Eastep
2017-02-22 18:24:30 UTC
Permalink
Post by Benny Pedersen
Post by Guilsson .
Any clue how to get all these rules works like I need ?
dns is port 53
I know. In my named.conf: listen-on port 53 { any; }; listen-on
port 54 { any; };
on top of that you miss tcp since dns is both udp and tcp
For the sake of simplicity in this questionI just post 2 lines of
my rules: # REJECT:info loc net:8.8.8.8,8.8.4.4 tcp domain
REJECT:info loc net:8.8.8.8,8.8.4.4 udp domain # REDIRECT:info loc
54 udp domain REDIRECT:info loc 54 tcp domain #
and for the enforce use my dns server, check shorewall config for
how to enforce squid proxy on lan
same rules apply for dns (DNAT squid/dns)
Sure. The redirect above is exactly the same as for Squid.
or make it more simple with a local dhcp server that tells the ip
of your local dns server
All devices on my Lan uses my DNS Bind for resolver. My goal is
intercept devices who does not obey my dhcpd settings like my
Chromwcast and Nexus Player from Google. They insist to use 8.8.8.8
and 8.8.4.4 as they primary DNS server.
Anyway, my question is not about dhcp and/or dns stuff. It's about
making the REJECT rules take precedence over REDIRECT rules.
You can't. But what you can do is add these rules before all the rest:

NONAT loc net:8.8.8.8,8.8.4.4 udp domain
NONAT loc net:8.8.8.8,8.8.4.4 tcp domain

That will prevent the REDIRECT rule from rewriting the destination
address in the packets that you want to reject.

Note that the above rules both generate a warning which you can ignore.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Tom Eastep
2017-02-22 18:40:35 UTC
Permalink
Post by Benny Pedersen
Anyway, my question is not about dhcp and/or dns stuff. It's
about making the REJECT rules take precedence over REDIRECT
rules.
NONAT loc net:8.8.8.8,8.8.4.4 udp domain NONAT loc
net:8.8.8.8,8.8.4.4 tcp domain
That will prevent the REDIRECT rule from rewriting the destination
address in the packets that you want to reject.
Note that the above rules both generate a warning which you can ignore.
You can eliminate the warnings by omitting 'net:' from the rules.

NONAT loc 8.8.8.8,8.8.4.4 udp domain
NONAT loc 8.8.8.8,8.8.4.4 tcp domain

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Guilsson .
2017-02-23 01:24:02 UTC
Permalink
Tom, worked perfectly.

I was able to block Google DNS requests and ALSO redirect some DNS
resolutions for other external servers to my local Bind DNS Server (to, via
logs, get logged ALL DNS resolutions). Perfect !

Thanks a lot.

# ---
NONAT loc $DNS_TO_BLOCK udp domain
NONAT loc $DNS_TO_BLOCK tcp domain
#
REJECT:info loc net:$DNS_TO_BLOCK tcp domain
REJECT:info loc net:$DNS_TO_BLOCK udp domain
#
REDIRECT:info loc $BIND_ALT_PORT udp domain
REDIRECT:info loc $BIND_ALT_PORT tcp domain
# ---

Some info: part of above solution (REDIRECT) is to improve CDN
geolocalization (DNS based) since using Google DNS (and others public DNS
servers) break this, especially in countries that don't have 8.8.8.8 server
deployed locally using anycast.

--Guilsson
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Benny Pedersen
Anyway, my question is not about dhcp and/or dns stuff. It's
about making the REJECT rules take precedence over REDIRECT
rules.
NONAT loc net:8.8.8.8,8.8.4.4 udp domain NONAT loc
net:8.8.8.8,8.8.4.4 tcp domain
That will prevent the REDIRECT rule from rewriting the destination
address in the packets that you want to reject.
Note that the above rules both generate a warning which you can ignore.
You can eliminate the warnings by omitting 'net:' from the rules.
NONAT loc 8.8.8.8,8.8.4.4 udp domain
NONAT loc 8.8.8.8,8.8.4.4 tcp domain
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYrdsjAAoJEJbms/JCOk0QRhIP/i/gCt1x773f1LS4h5l+j+Mf
HGOVrbrOHLBTTJFyD3GxCb+LXZHo8fUlLjk8te7tYhc2CfDlJ/mf5pRIfw3w39Nd
waQJmI11qL/Gdmmg/jqR/TFAbX7N8wCyMPYp7idzVE0ZU1YY6rRZLlEL1N55nkP/
exBmf94rdIdvgKu042d4t7EhF/6owv32QABzL5Ueh5YuUOxo0PFG1baF9LCqJXvZ
gt47rE8lVtM70btL2jEAqLC9FghP3dmeJwAClWu6kiTNZkmGygOYB6WzucUmcbMd
K6m7Y5zRAIsuChG5u1tMz7XxgmoFp0FGzhEkL/HfOPYylXtNRbMtMpi9Y6rziptM
QAxWTKLMc0UOOraQJw/+g4Fn0XZ+q37j/2R4z7hyaF3R2UditLFBHn6KCPPmH+UA
Cmh/K1XDtzd4CflI607WKo+YsxnU5JtlbvoBHZdVvxlNcuM6UGqoYLPCeOftQ8LB
you9QTjMmBjioEDQMBixOC2RvB/pbgt4CTtikTxRbHJl4MZ6gfMYgtAhDMOXW16e
WEEIZAcs4U7P53QpyJW3GEZP7nRSXm6rmi44PP5wd27Hh8ve6Ee/edytC/hY4w0m
dxAYj1+GPda3tOQHd3DmU8K9Ymg7INHyzpfW4RR6dUeBl1Q1kegCAwKOdACnsSU1
+NjQA9D14Rp6jXuCB37b
=NdEG
-----END PGP SIGNATURE-----
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Loading...