Transparent Router/Firewall help needed!

sdolin · 09-29-2007, 06:49 AM

Hi, i am currently trying to make a router firewall that will be transparent and redirect all dns requests to opendns.

I have decided to use a Linksys WRT54GL running openwrt's WhiteRussian firmware because its all ready a router and is running linux.

Firstly i'll describe the ideal situation i'm trying to achieve.

LAN --------> WRT------>Modem Router ------->Internet

Now obviously what i could do is have my modem router's dns set to opendns and have my lan pc's dns set to the router or opendns but this leaves the problem of someone putting there own dns settings on a pc and going out through a different dns server.

Ideally what i would like the WRT to do is act as a transparent router that would redirect all dns requests to opendns. As for transparency if anything did happen to the WRT it would be great to be able to be unplugged from the network so the lan would go straight to the Modem Router and there would have to be no need for reconfiguring anything to bring the internet back up, also installation would be a lot simpler.

Also next step from there would be to do the same with wireless i.e

WLAN ------->WRT------->Wireless Modem Router-------->Internet

But one step at a time.

Now i would presume that redirecting dns requests could be done using the firewall and i have tried this so far

iptables -t nat -A PREROUTING -d LAN_IP -p UDP --dport 53 -j DNAT --to-destination OPENDNS_SERVER

iptables -t nat -A PREROUTING -d LAN_IP -p TCP --dport 53 -j DNAT --to-destination OPENDNS_SERVER

but it doesn't seem to be working.

So if anyone thinks this is a worthwhile project and would like to give me some advice or even point me in the right direction or save me alot of wasted time and tell me if its never going to fly a reply would be greatly appreciated.

win32sux · 09-29-2007, 06:00 PM

You don't need to do any DNAT for this. This gets handled automatically by your SNAT rules. Basically you just need to go into your router's DHCP server configuration, and specify that you want it to hand-out the OpenDNS IPs as DNS addresses. If you want to make sure that only the OpenDNS servers are allowed, use a couple FORWARD rules like:

Code:

iptables -I FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -d ! 208.67.222.222 -j REJECT
iptables -I FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -d ! 208.67.220.220 -j REJECT
iptables -I FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -d ! 208.67.222.222 -j REJECT
iptables -I FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -d ! 208.67.220.220 -j REJECT

That said, I'm moving this to Networking, as it's not a security question.

EDIT: Okay, just re-read your post and it seems you want to have DNS queries sent to OpenDNS regardless of whether the clients specified some other server. In that case, disregard what I said above.