Hello


An update on this issue: 

Going through (long) Asus support channel, they first agreed that this was intentional to make router.asus.com work but did take my request to make that optional. They have issued me a test firmware which so far seems to be working perfectly with no-rewriting rules. Hoping that it doesn't bring any side effects and they eventually put it in their public release after testing. 



Thanks.

On Mon, Nov 2, 2020 at 10:09 PM Anurag Bhatia <me@anuragbhatia.com> wrote:
Hi Alarig 


I tried that but somehow DNS traffic still does not work. I tried adding rules in prerouting as well and still no impact. 


anurag@RT-AC58U:/tmp/home/root# iptables -t nat  -L PREROUTING -v -n
Chain PREROUTING (policy ACCEPT 25 packets, 3147 bytes)
 pkts bytes target     prot opt in     out     source               destination
  672 46143 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53

anurag@RT-AC58U:/tmp/home/root# iptables -t nat  -L -v -n
Chain PREROUTING (policy ACCEPT 63 packets, 10481 bytes)
 pkts bytes target     prot opt in     out     source               destination
  993 68310 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53

Chain INPUT (policy ACCEPT 46 packets, 8909 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
anurag@RT-AC58U:/tmp/home/root#






From my client behind Asus Wifi AP: 

 dig @1.1.1.1 whoami.akamai.net

; <<>> DiG 9.10.6 <<>> @1.1.1.1 whoami.akamai.net
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached



Whether or not I have these rules, I see no traffic on port 53 when doing tcpdump on the core router (in the North of Asus wifi AP). So clearly firewall rules are not working. 
Please suggest if you see something wrong here. 


Also, in meantime, I heard from Asus and their support mentioned that this re-writing is intentional and is done so that end users can access device on router.asus.com hostname. I requested them to make this feature optional so that at least folks like us can disable it. Let's see how that goes. 



Thanks. 


On Thu, Oct 29, 2020 at 3:13 PM Alarig Le Lay <alarig@swordarmor.fr> wrote:
On Thu 29 Oct 2020 02:10:25 GMT, Anurag Bhatia wrote:
> I tried deleting the rule and it drops the traffic completely. So DNS
> resolution stops working and I am unsure why. It's not like default drop or
> anything. I can edit the rule and whatever active port 53 related rule is
> there works. But I want case of no such rule at all. :-)

Did you try to add
        -t nat -A POSTROUTING -p tcp -m tcp --dport 53 -j ACCEPT
        -t nat -A POSTROUTING -p udp -m udp --dport 53 -j ACCEPT

after the deletion?

--
Alarig


--
Anurag Bhatia


--
Anurag Bhatia