Home / server / Questions / 973027
Accepted
Jonathan S. Fisher
Asked: 2019-06-27 12:04:30 +0800 CST

How to use iptables to rewrite DNS queries flowing through a wireguard vpn?

  • 772

I have a wireguard VPN server I had to rebuild. The old server had an internal DNS server running on a virtual interface, 172.16.0.1. I don't really need/want to run DNS on this, is there a way I can use iptables to intercept DNS queries to 172.16.0.1 and send them to 1.1.1.1 instead?

ifconfig:

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.19.49.1  netmask 255.255.255.0  destination 10.19.49.1

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet xxx.xxx.xxx.xxx  netmask 255.255.240.0  broadcast xxx.xxx.xxx.xxx

Here's my postup/down rules in wireguard:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
linux

1 Answers

  1. Best Answer

    Yes, it's pretty simple: 

    iptables -t nat -A PREROUTING -p tcp --dst 172.16.0.1 --dport 53 -j DNAT --to-destination 1.1.1.1:53
iptables -t nat -A PREROUTING -p udp --dst 172.16.0.1 --dport 53 -j DNAT --to-destination 1.1.1.1:53

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT

    Better use the iptables-save/iptables-restore/iptables-apply instead script that runs iptables directly multiple times. Use iptables-persistent package to make the rules permanent.

    To better understand of the iptables you can read the iptables tutorial.

    • 2