The problem is that I need to forward the incoming DNS query packets (from other computers) to 127.0.0.53
( not 127.0.0.1
). I tried to redirect the queries to 127.0.0.1
, that worked fine, however it's not able to redirect them to 127.0.0.53
.
The IP address of the incoming interface is 10.66.66.1
, which is an virtual interface ( wg0
) of the wireguard VPN service.
The commands I used for forwarding to 127.0.0.1
was:
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp -d 10.66.66.1 --dport 53 -j DNAT --to-destination 127.0.0.1:53
sudo iptables -t nat -A PREROUTING -i wg0 -p udp -d 10.66.66.1 --dport 53 -j DNAT --to-destination 127.0.0.1:53
sudo iptables -I INPUT -i wg0 -p tcp -m tcp -d 10.66.66.1 --dport 53 -j ACCEPT
sudo iptables -I INPUT -i wg0 -p udp -m udp -d 10.66.66.1 --dport 53 -j ACCEPT
sudo iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -p udp --dport 53 -j ACCEPT
in which wg0
was the interface of the wireguard VPN. That worked fine.
and the commands I used for forwarding to 127.0.0.53
was (the only difference was that I changed 127.0.0.1
to 127.0.0.53
):
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp -d 10.66.66.1 --dport 53 -j DNAT --to-destination 127.0.0.53:53
sudo iptables -t nat -A PREROUTING -i wg0 -p udp -d 10.66.66.1 --dport 53 -j DNAT --to-destination 127.0.0.53:53
sudo iptables -I INPUT -i wg0 -p tcp -m tcp -d 10.66.66.1 --dport 53 -j ACCEPT
sudo iptables -I INPUT -i wg0 -p udp -m udp -d 10.66.66.1 --dport 53 -j ACCEPT
sudo iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -p udp --dport 53 -j ACCEPT
Besides, I enabled the port forwarding:
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.conf.eth0.route_localnet=1 # physical interface
sudo sysctl -w net.ipv4.conf.lo.route_localnet=1 # loopback interface
sudo sysctl -w net.ipv4.conf.wg0.route_localnet=1 # wireguard interface
sudo sysctl -w net.ipv4.conf.all.route_localnet=1
and the default policy of INPUT
/ OUTPUT
/ FORWARD
chains was ACCEPT
.
I have 2 questions:
127.0.0.53
?iptables -L -v
and iptables -t nat -L -v
), and why can't I see any packets filtered by the forward chain? even when the packets were redirected to 127.0.0.1
correctly? The real problem I was trying to solve was that, the stubby
service (encrypted DNS service) was listening at port 127.0.0.1:53
, and I can also set it to listen to 10.66.66.1:53
(the VPN interface), however, the stubby service ignored the static DNS bindings in /etc/hosts
, which can be solved by sending DNS requests to 127.0.0.53
( systemd-resolved
serrvice), and I needed to provide some static DNS bindings for all the VPN clients.
I also posted this question to serverfault , and got an answer , which suggested me to use dnsmasq instead of systemd-resolved. That solved my problem, however it's still not clear on how to forward packets to 127.0.0.53
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.