DNATing DNS requests that aren't going to a particular server. iptables : No chain/target/match by that name

geekygeek

10/5/23, 8:42 PM

I have some chains that I create in iptables

iptables -N dns-requests
iptables -N wg0-filter

I then create a filter, to pass DNS traffic that are on Port 53.

iptables -A wg0-filter -p tcp --dport 53 -j dns-requests
iptables -A wg0-filter -p udp --dport 53 -j dns-requests

Then, I have some rules in the dns-requests chain:

iptables -A dns-requests -d 208.67.220.220 -p tcp -j ACCEPT
iptables -A dns-requests -d 208.67.220.220 -p udp -j ACCEPT
iptables -A dns-requests -d 208.67.222.222 -p udp -j ACCEPT
iptables -A dns-requests -d 208.67.222.222 -p tcp -j ACCEPT
iptables -t nat -A dns-requests -p udp -j DNAT --to-destination 208.67.220.220:53
iptables -t nat -A dns-requests -p tcp -j DNAT --to-destination 208.67.222.222:53

With the above, I want to do the following:

DNS requests that are sent to 208.67.220.220 or 208.67.222.222 should pass through
DNS requests that are not sent to 208.67.220.220 or 208.67.222.222 should have DNAT applied, so that the DNS request goes to 208.67.220.220

I've tried quite a few different commands, but can't get it to work. The current error I have is:

iptables: No chain/target/match by that name.

When I run :

iptables -t nat -A dns-requests -p udp -j DNAT --to-destination 208.67.220.220:53
iptables -t nat -A dns-requests -p tcp -j DNAT --to-destination 208.67.222.222:53

Any ideas how to achieve what I'm after?

1 + 1

iptables

firewall

networking

dns

Thomas Ward

10/5/23, 10:13 PM

FYI your 'missing chain' for dns-requests is because that's a chain in INPUT, not in NAT. You need to make a new NAT chain called `dns-requests` and the add that into the proper PREROUTING chain in your `iptables`. see Doug's answer.

Score:0

Ubuntu

Doug Smythies

10/5/23, 10:00 PM

All the filtering needs to be done in the nat tables, with extra defined chains created there.

More information about the bigger context would be required, but here is an attempt, which loads without errors but I am unable to test it further:

doug@s19:~/iptables/misc$ cat ask1433946
#!/bin/sh
FWVER=0.01
#
# ask1433946 Smythies 2022.10.05 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1433946
#
#       run as sudo on s19.
#
#       Note: These rules definately need to be merged with
#       some higher level rules that the OP did not post.

echo "Loading ask1433946 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
DESTU="208.67.220.220"
DESTT="208.67.222.222"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="UNKNOWN"
#DESTU="208.67.220.220"
#DESTT="208.67.222.222"
#UNIVERSE="0.0.0.0/0"

#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about OP's computer.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Delete user defined chains
$IPTABLES -t nat -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# Define tables in nat.
$IPTABLES -t nat -N wg0-filter
$IPTABLES -t nat -N dns-requests-u
$IPTABLES -t nat -N dns-requests-t

# wgo-filter rules
$IPTABLES -t nat -A wg0-filter -p tcp --dport 53 -j dns-requests-t
$IPTABLES -t nat -A wg0-filter -p udp --dport 53 -j dns-requests-u

# dns-requests rules
$IPTABLES -t nat -A dns-requests-t -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -j DNAT --to-destination $DESTT

$IPTABLES -t nat -A dns-requests-u -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -j DNAT --to-destination $DESTU

echo ask1433946 rule set version $FWVER done.

Which loads fine:

$ doug@s19:~/iptables/misc$ sudo ./ask1433946
Loading ask1433946 rule set version 0.01..

Enabling forwarding...
  Clearing any existing rules and setting default policies..
ask1433946 rule set version 0.01 done.

Giving:

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 120 packets, 8220 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 36 packets, 5876 bytes)
    pkts      bytes target     prot opt in     out     source               destination
doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 236 packets, 46387 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 47 packets, 2995 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain wg0-filter (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 dns-requests-t  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
       0        0 dns-requests-u  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

Chain dns-requests-u (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.220.220
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.222.222
       0        0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:208.67.220.220

Chain dns-requests-t (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.220.220
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.222.222
       0        0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:208.67.222.222

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: DNATing DNS requests that aren't going to a particular server. iptables : No chain/target/match by that name

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.