Iptables block DNS outbound and mangle TTL Examples

Version used: 

iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 64

iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.100.2:53

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.100.2:53

iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.100.2 --dport 53 -j ACCEPT

iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.100.2 --dport 53 -j ACCEPT

iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.79.20:53

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.79.20:53

iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.79.20 --dport 53 -j ACCEPT

iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.79.20 --dport 53 -j ACCEPT

#Version2
iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 66

iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.100.1:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.100.1:53
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.100.1 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.100.1 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.100.1 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.100.1 --dport 53 -j ACCEPT


#Version with TLS DNS
iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 66

iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 853 -j DNAT --to 192.168.79.20:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 853 -j DNAT --to 192.168.79.20:53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 853 -j DNAT --to 192.168.79.20:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 853 -j DNAT --to 192.168.79.20:53
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.79.20 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.79.20 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.79.23 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.79.23 --dport 53 -j ACCEPT

Leave a ReplyCancel reply