DNS forwarding with iptables

Adding notes on using iptables to forward ports
This commit is contained in:
fusiondog 2016-04-28 23:27:28 -07:00
parent 6185888f1f
commit f142d4ab04
1 changed files with 14 additions and 2 deletions

View File

@ -14,9 +14,9 @@ or root account, it is possible to instead forward appropriate queries to Consul
running on an unprivileged port, from another DNS server. running on an unprivileged port, from another DNS server.
In this guide, we will demonstrate forwarding from [BIND](https://www.isc.org/downloads/bind/) In this guide, we will demonstrate forwarding from [BIND](https://www.isc.org/downloads/bind/)
as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) and [iptables](http://www.netfilter.org/).
For the sake of simplicity, BIND and Consul are running on the same machine in this example, For the sake of simplicity, BIND and Consul are running on the same machine in this example,
but this is not required. but this is only required for iptables.
It is worth mentioning that, by default, Consul does not resolve DNS It is worth mentioning that, by default, Consul does not resolve DNS
records outside the `.consul.` zone unless the records outside the `.consul.` zone unless the
@ -126,6 +126,18 @@ for additional details):
#cache-size=65536 #cache-size=65536
``` ```
### iptables Setup
On Linux systems that support it, incoming requests and requests to localhost can use iptables
to forward ports on the same machine without a secondary service.
```
iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600
iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600
```
### Testing ### Testing
First, perform a DNS query against Consul directly to be sure that the record exists: First, perform a DNS query against Consul directly to be sure that the record exists: