From f142d4ab04c0048090f75491f2d647102f89a984 Mon Sep 17 00:00:00 2001 From: fusiondog Date: Thu, 28 Apr 2016 23:27:28 -0700 Subject: [PATCH] DNS forwarding with iptables Adding notes on using iptables to forward ports --- .../source/docs/guides/forwarding.html.markdown | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/website/source/docs/guides/forwarding.html.markdown b/website/source/docs/guides/forwarding.html.markdown index 691cc961a1..c4cdd7bf95 100644 --- a/website/source/docs/guides/forwarding.html.markdown +++ b/website/source/docs/guides/forwarding.html.markdown @@ -14,9 +14,9 @@ or root account, it is possible to instead forward appropriate queries to Consul running on an unprivileged port, from another DNS server. In this guide, we will demonstrate forwarding from [BIND](https://www.isc.org/downloads/bind/) -as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). +as well as [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) and [iptables](http://www.netfilter.org/). For the sake of simplicity, BIND and Consul are running on the same machine in this example, -but this is not required. +but this is only required for iptables. It is worth mentioning that, by default, Consul does not resolve DNS records outside the `.consul.` zone unless the @@ -126,6 +126,18 @@ for additional details): #cache-size=65536 ``` +### iptables Setup + +On Linux systems that support it, incoming requests and requests to localhost can use iptables +to forward ports on the same machine without a secondary service. + +``` +iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 +iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 +iptables -t nat -A OUTPUT -d localhost -p udp -m udp --dport 53 -j REDIRECT --to-ports 8600 +iptables -t nat -A OUTPUT -d localhost -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 8600 +``` + ### Testing First, perform a DNS query against Consul directly to be sure that the record exists: