Pi-Hole and iptables

MountFX · November 14, 2018, 6:11pm

Hello!

I am having trouble to setup iptables (without VPN) correctly such that pi-hole on my raspberry pi still work.
My current setup consists of a FritzBox (modem + DHCP server) on which the raspberry pi (fix ip address) is setup as DNS.
If I disable iptables and allow everything, pi-hole works as expected. However, if I define the rules below, FritzBox cannot use raspberry pi anymore as DNS server and uses the fallback DNS sever.

Hopefully anyone can help me. I have not found anything which helped me so far.

Expected Behaviour:

Restrict access to pi-hole computer (in this case a raspberry pi) but pi-hole should still work as ad-blocker. HTTP web-gui not needed currently.

Actual Behaviour:

Restricted access to pi-hole, allowed SSH, DNS, loopback stuff, but pi-hole not working anymore as ad-blocker.

Debug Token:

Here is my current iptables setup (added everything for DNS and more than needed) but pi-hole does not work. Anything missing?

:INPUT DROP [6:873]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [6:849]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p UDP -m udp --dport 53 -j ACCEPT
COMMIT

dtb · November 14, 2018, 7:58pm

Usually one restricts traffic on the external interface, not the lo, per the purpose of a loopback, only the local machine can talk to it....

Do you have any iptables rules for your actual ethernet interface? That is where I would put my rules, not on the lo adapter.

Cheers

MountFX · November 15, 2018, 11:39am

The rules are not restricted to the "lo" interface as you can see in section "Debug Token". They should work on each interface as I have not given the "-i" or "-o" parameter to them (beside one time for the loopback interface).
Only the "lo" interface is allowed for everything for INPUT and OUTPUT.

dtb · November 15, 2018, 1:27pm

Sorry about that, reading when I should be asleep. You are correct.

You shouldn't need the rules with --sport 53, queries should not be
sourced from port 53 these days, and for better compatibility with
other devices, I would change the INPUT rule for NTP for --dport 123
instead of --sport 123, unless you want to force asymmetric only.
Other than that, my system only listens on 53, 80, and 123, and you
have covered all of those.

Cheers

jfb · November 15, 2018, 1:34pm

There is no effective concept of a "fallback DNS server", and if you have a second DNS server listed in the router (that is not a Pi-Hole), then some of your network traffic will route to that DNS and bypass Pi-Hole.

system · December 6, 2018, 1:34pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.