NAT port 53 to podman port loses client IP address

techxyn · October 16, 2020, 9:00am

Hello,

I'm running pi-hole using podman as a non-root user so I've mapped port 53001 on the Pi to the
pi-hole container's port 53.

I've then added the following iptables rule:

iptables -t nat -A PREROUTING -p udp --dport 53 \
        --source 192.168.2.0/24 -j DNAT --to-destination 192.168.5.93:53001

This works great except all of the clients are logged as 'localhost' and if I look in the pihole log all DNS requests show 127.0.0.1 as the client.

Oct 16 09:43:20 dnsmasq[718]: query[AAAA] discourse.pi-hole.net from 127.0.0.1

After some research I've tried adding:

iptables -t nat -A POSTROUTING -p udp --destination 192.168.5.93 --dport 53001 -j SNAT --to-source 192.168.5.93

iptables -t nat -A POSTROUTING -j MASQUERADE

But nothing seems to be able to show the original 192.168.2.XXX ip address on the pihole.

Is this possible? Could it because the client is on a different subnet ?

TIA.

John.

DanSchaper · October 16, 2020, 11:25am

You can try the POSTROUTING chain instead but I don't think you'll find a real solution. NAT is designed to change the IP address, that's just how it works.

techxyn · October 17, 2020, 8:50am

Thanks Dan. Good to know that it can't be solved with NAT.

Its more important to me that ad domains are being blocked rather than knowing which client made the request anyway.

Bucking_Horn · October 17, 2020, 2:14pm

Dan is right, your later attempts using MASQUERADE would for sure replace the source IP with your device's outbound IP.

But your first statement using DNAT should have worked, since that is solely using a destination NAT, i.e. it would only replace a packet's destination address.

If you are seeing the source address being replaced as well, this would strongly suggest there are other SNAT or MASQUERADE rules present in the rule chain, replacing the source IP as well.

If I had to guess, I'd suspect that Podman (just like Docker) would apply its own set of iptables rules (maybe even inside a container instance?). I don't know Podman, but Docker would e.g. masquerade packets for it's default bridge network.

You could try to experiment with Podman's network modes, assuming Podman is similar to Docker in that regard.

However, your best approach may be consulting Podman's documentation or reaching out to their support to find out whether there would be a way around this.

DanSchaper · October 17, 2020, 4:56pm

Even using DNAT mangles the packet. Something keeps record of where the packet originally intended to go, rewrites to where you want to go and then does the opposite with the response (takes the response with the source of the rewritten destination and puts back the original destination). That process changes some of the IP header data and dnsmasq can see that. (Going from memory, @DL6ER would have a definitive answer about how pihole-FTL treats header information.) The packets are getting from client to Pi-hole and back to client with the right payload so there is some packet manipulation going on that would/could affect.

As for podman, since it running in non-root mode it does not have the capability to affect things on the network level, it just doesn't have the privileges to do that. I think you may be on the right track though, this is something I neglected to consider, non-root mode.

Would be good to get a full dump of the iptables regular and nat tables, all chains to see.

Edit: Added clarification to last sentence in the first paragraph.

system · November 9, 2020, 1:10am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.