Hi Alarig
I tried that but somehow DNS traffic still does not work. I tried adding rules in prerouting as well and still no impact.
anurag@RT-AC58U:/tmp/home/root# iptables -t nat -L PREROUTING -v -n
Chain PREROUTING (policy ACCEPT 25 packets, 3147 bytes)
pkts bytes target prot opt in out source destination
672 46143 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
anurag@RT-AC58U:/tmp/home/root# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 63 packets, 10481 bytes)
pkts bytes target prot opt in out source destination
993 68310 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain INPUT (policy ACCEPT 46 packets, 8909 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
anurag@RT-AC58U:/tmp/home/root#
From my client behind Asus Wifi AP:
Whether or not I have these rules, I see no traffic on port 53 when doing tcpdump on the core router (in the North of Asus wifi AP). So clearly firewall rules are not working.
Please suggest if you see something wrong here.
Also, in meantime, I heard from Asus and their support mentioned that this re-writing is intentional and is done so that end users can access device on
router.asus.com hostname. I requested them to make this feature optional so that at least folks like us can disable it. Let's see how that goes.
Thanks.