You are not logged in.

Pages: 1

#1 2022-04-21 13:27:16

04tm34l
Member
Registered: 2021-04-22
Posts: 32

[SOLVED] Why do nftables block dnsmasq?

I have previously asked a question about dnsmasq.
[SOLVED] Generating resolv.conf using NetworkManager with dnsmasq

However, I really wanted to do a manual DNS setup because the DNS servers on my LTE network are slow.
I also found that dnsmasq is required for NAT to work in libvirt, but it doesn't work at all. Additionally, I don't want to use bridges or macvtap.
So after disabling nftables and rebooting, both manually configured DNS and libvirt NAT work of course. However, I wonder if it would be a good idea to leave it open.
I would like to show you my nftables.conf and would like to know how to make nftables and dnsmasq coexist.
This setup is mostly based on this.

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
	}

Last edited by 04tm34l (2022-04-22 14:41:25)

Offline

#2 2022-04-21 15:10:24

-thc
Member
Registered: 2017-03-15
Posts: 500

Re: [SOLVED] Why do nftables block dnsmasq?

If you configured NetworkManager to use dnsmasq as outlined in the Wiki it's listening on 127.0.0.1:53 only and is only useful for the host itself.

What exactly are you trying to achieve? Who needs access to dnsmasq? What does "manual DNS setup" mean?

If this is true:

04tm34l wrote:

I also found that dnsmasq is required for NAT to work in libvirt

why does this work:

04tm34l wrote:

both manually configured DNS and libvirt NAT work of course

Last edited by -thc (2022-04-21 15:18:55)

Offline

#3 2022-04-21 23:23:09

04tm34l
Member
Registered: 2021-04-22
Posts: 32

Re: [SOLVED] Why do nftables block dnsmasq?

I already have dnsmasq perform DNS resolution in NetworkManager.
Note that "manual DNS setup" can be done if you have changed the method in the IPv4 or IPv6 settings in NetworkManager.
If you are using a wired connection or a Wi-Fi client, you can set the method to "Automatic (DHCP) Address Only" or "Manual" to use any DNS.
Finally, the goal of this issue is to have dnsmasq work even if nftables is enabled.

P.S. I am not fluent in English and am writing this using machine translation. Please understand.

Offline

#4 2022-04-22 10:12:31

-thc
Member
Registered: 2017-03-15
Posts: 500

Re: [SOLVED] Why do nftables block dnsmasq?

04tm34l wrote:

P.S. I am not fluent in English and am writing this using machine translation. Please understand.

No problem.

04tm34l wrote:

Note that "manual DNS setup" can be done if you have changed the method in the IPv4 or IPv6 settings in NetworkManager.
If you are using a wired connection or a Wi-Fi client, you can set the method to "Automatic (DHCP) Address Only" or "Manual" to use any DNS.

O.K. - you enter the DNS server (that dnsmasq will use) manually.

04tm34l wrote:

I already have dnsmasq perform DNS resolution in NetworkManager.

O.K. - your /etc/resolv.conf should contain only one IP address: 127.0.0.1.

04tm34l wrote:

Finally, the goal of this issue is to have dnsmasq work even if nftables is enabled.

So here is the puzzle: Your NetworkManager/dnsmasq setup works via 127.0.0.1/"lo" and your nftables rule set contains the line

iif "lo" accept

That means DNS resolution on the host should work even if nftables is active.

BUT:

Why do you mention libvirt? Do you have virtual machines?
Why do you do NAT via "wwp*" interfaces? What is this?

Offline

#5 2022-04-22 14:34:04

04tm34l
Member
Registered: 2021-04-22
Posts: 32

Re: [SOLVED] Why do nftables block dnsmasq?

I made one big mistake.
Even with nftables disabled, the DNS of the LTE network could not be changed by dnsmasq.
In addition, I found that I had to change the FORWARD chain to "ct state established,related,new accept" for libvirt's NAT. It was a rather elementary mistake.
I've solved myself, so I'll leave it at that.

Offline

#6 2022-04-22 14:39:04

04tm34l
Member
Registered: 2021-04-22
Posts: 32

Re: [SOLVED] Why do nftables block dnsmasq?

So I started using systemd-resolved for DNS resolution.
I will also include changes to nftables.conf for libvirt NAT.

Before

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept

After

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		ct state established,related,new accept

I also deleted the nftables.conf that I put in the opening question.

Offline

#7 2022-04-22 18:23:42

Fixxer
Member
From: Poland
Registered: 2011-08-29
Posts: 217

Re: [SOLVED] Why do nftables block dnsmasq?

In case of "new" connections, consider rather to allow only something like this:

iif $something ct state new udp sport 68 udp dport 67 counter accept

I can't remind details and find links, but dhcp-server doesn't need any firewall rules cause can initiate connection in other way, than dnsmasq, etc.

Last edited by Fixxer (2022-04-22 19:53:28)

Offline

Pages: 1

Board footer

Powered by FluxBB