Assuming a setup with bridged LAN and WAN interfaces.
Install the required packages.
Enable bridge firewall intercepting DNS queries and filtering transit traffic from eth0 to eth1.
# Install packages opkg update opkg install kmod-nft-bridge # Configure firewall cat << "EOF" > /etc/nftables.d/bridge.sh . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_get_device NET_DEV "${NET_IF}" NET_MAC="$(ubus -S call network.device status \ "{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")" nft add table bridge filter nft flush table bridge filter nft add chain bridge filter prerouting \ { type filter hook prerouting priority dstnat\; } nft add rule bridge filter prerouting meta \ l4proto { tcp, udp } th dport 53 pkttype set host \ ether daddr set "${NET_MAC}" comment "Intercept-DNS" nft add chain bridge filter forward \ { type filter hook forward priority filter\; } nft add rule bridge filter forward iifname "eth0" \ oifname "eth1" drop comment "Deny-eth0-eth1" EOF uci -q delete firewall.bridge uci set firewall.bridge="include" uci set firewall.bridge.path="/etc/nftables.d/bridge.sh" uci commit firewall service firewall restart
Set up DNS hijacking and DNS filtering.
If you have your firewall disabled and have kmod-nft-bridge installed, then you can do this easily. This will classify HTTP(S) traffic as AF23. Not practical, but a start.
Save the following to /etc/nftables.conf
flush ruleset table bridge dscp { chain dscp_set_af23 { ip dscp set af23 ip6 dscp set af23 } chain prerouting { type filter hook prerouting priority 0; policy accept; meta l4proto tcp th dport {80, 443} jump dscp_set_af23 } }
Run the following code. Add it to /etc/rc.local to make it persist.
nft -f /etc/nftables.conf
Collect and analyze the following information.
# Log and status service firewall restart # Runtime configuration lsmod | grep -e bridge nft list ruleset # Persistent configuration uci show firewall