LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Query related to introducing traffic redirection rules with iptables (https://www.linuxquestions.org/questions/linux-networking-3/query-related-to-introducing-traffic-redirection-rules-with-iptables-4175732462/)

ganeshrockz 01-05-2024 01:25 AM
Query related to introducing traffic redirection rules with iptables
 
I am trying to forward localhost DNS requests in an alpine container deployed in an ECS task that are originally intended to port 53 to port 8700 where I have a custom DNS resolver running on my box.

I have made sure to add 127.0.0.1 as the first nameserver in /etc/resolv.conf

To support traffic redirection I added the following commands to modify iptable NAT rules

Code:
/# iptables -t nat -N DNS_REDIRECT
/# iptables -t nat -A DNS_REDIRECT -p udp -d 127.0.0.1 --dport 53 -j DNAT --to-destination 127.0.0.1:8700
/# iptables -t nat -A OUTPUT -p udp -d 127.0.0.1 --dport 53 -j DNS_REDIRECT

This is output of the rules present in the NAT table

Code:
/ # iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 110 packets, 7653 bytes)
 pkts bytes target    prot opt in    out    source              destination       
  39  3693 DNS_REDIRECT  udp  --  any    any    anywhere            localhost            udp dpt:domain

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain DNS_REDIRECT (1 references)
 pkts bytes target    prot opt in    out    source              destination       
  39  3693 DNAT      udp  --  any    any    anywhere            localhost            udp dpt:domain to:127.0.0.1:8700

The DNS server on 8700 is running fine and serving responses properly. I was able to verify this with dig -p 8700 foo.com.

On executing dig foo.com, I get the following error

;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out


From application logs, I can see that the DNS server has responded back with the correct response, but iptable rules are somehow mangling the UDP packets. Can someone help me debug this further?


All times are GMT -5. The time now is 10:43 PM.