Query related to introducing traffic redirection rules with iptables
by ganeshrockz from LinuxQuestions.org on (#6HKZA)
I am trying to forward localhost DNS requests in an alpine container deployed in an ECS task that are originally intended to port 53 to port 8700 where I have a custom DNS resolver running on my box.
I have made sure to add 127.0.0.1 as the first nameserver in /etc/resolv.conf
To support traffic redirection I added the following commands to modify iptable NAT rules
Code:/# iptables -t nat -N DNS_REDIRECT
/# iptables -t nat -A DNS_REDIRECT -p udp -d 127.0.0.1 --dport 53 -j DNAT --to-destination 127.0.0.1:8700
/# iptables -t nat -A OUTPUT -p udp -d 127.0.0.1 --dport 53 -j DNS_REDIRECT
This is output of the rules present in the NAT table
Code:/ # iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 110 packets, 7653 bytes)
pkts bytes target prot opt in out source destination
39 3693 DNS_REDIRECT udp -- any any anywhere localhost udp dpt:domain
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DNS_REDIRECT (1 references)
pkts bytes target prot opt in out source destination
39 3693 DNAT udp -- any any anywhere localhost udp dpt:domain to:127.0.0.1:8700
The DNS server on 8700 is running fine and serving responses properly. I was able to verify this with dig -p 8700 foo.com.
On executing dig foo.com, I get the following error
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
From application logs, I can see that the DNS server has responded back with the correct response, but iptable rules are somehow mangling the UDP packets. Can someone help me debug this further?
I have made sure to add 127.0.0.1 as the first nameserver in /etc/resolv.conf
To support traffic redirection I added the following commands to modify iptable NAT rules
Code:/# iptables -t nat -N DNS_REDIRECT
/# iptables -t nat -A DNS_REDIRECT -p udp -d 127.0.0.1 --dport 53 -j DNAT --to-destination 127.0.0.1:8700
/# iptables -t nat -A OUTPUT -p udp -d 127.0.0.1 --dport 53 -j DNS_REDIRECT
This is output of the rules present in the NAT table
Code:/ # iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 110 packets, 7653 bytes)
pkts bytes target prot opt in out source destination
39 3693 DNS_REDIRECT udp -- any any anywhere localhost udp dpt:domain
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DNS_REDIRECT (1 references)
pkts bytes target prot opt in out source destination
39 3693 DNAT udp -- any any anywhere localhost udp dpt:domain to:127.0.0.1:8700
The DNS server on 8700 is running fine and serving responses properly. I was able to verify this with dig -p 8700 foo.com.
On executing dig foo.com, I get the following error
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out
From application logs, I can see that the DNS server has responded back with the correct response, but iptable rules are somehow mangling the UDP packets. Can someone help me debug this further?