Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2022/12/29 15:31] – plinioseniore | docs:guide-user:firewall:filtering_traffic_at_ip_addresses_by_dns [2024/01/13 12:53] – [Improvements] plinioseniore | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== fw4 Filtering traffic with IP sets by DNS ====== | ====== fw4 Filtering traffic with IP sets by DNS ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 19: | Line 19: | ||
| ===== [CASE 1] Command-line instructions ===== | ===== [CASE 1] Command-line instructions ===== | ||
| - | Install // | + | Install // |
| <code bash> | <code bash> | ||
| - | opkg update | + | opkg update; cd /tmp/ && opkg download dnsmasq-full; opkg install ipset libnettle8 libnetfilter-conntrack3; |
| - | cd /tmp/ && opkg download dnsmasq-full | + | opkg remove dnsmasq; opkg install dnsmasq-full --cache /tmp/; rm -f / |
| - | opkg remove dnsmasq | + | |
| - | opkg install dnsmasq-full --cache /tmp/ | + | |
| - | rm -f / | + | |
| </ | </ | ||
| Line 37: | Line 34: | ||
| A valid result should looks like // | A valid result should looks like // | ||
| - | In ///etc/rc.local// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6** | + | In ///etc/hotplug.d/ |
| <code bash> | <code bash> | ||
| Line 45: | Line 42: | ||
| nft insert rule inet fw4 forward_wildlan ip daddr @blackhole accept | nft insert rule inet fw4 forward_wildlan ip daddr @blackhole accept | ||
| </ | </ | ||
| - | |||
| - | In some cases a //sleep 10// between the two commands can be required. | ||
| The //wildlan// zone has no access to internet unless the target IP address is listed in // | The //wildlan// zone has no access to internet unless the target IP address is listed in // | ||
| Line 57: | Line 52: | ||
| nftset=/ | nftset=/ | ||
| ... | ... | ||
| + | </ | ||
| + | |||
| + | Looking to the case in which you want to ensure that only IP addresses resolved via your DNS are allowed, then use # wildcard. This make sense if you want avoid access via direct IP without a filter for specific URLs. | ||
| + | |||
| + | <code bash> | ||
| + | nftset=/#/ | ||
| </ | </ | ||
| Line 69: | Line 70: | ||
| This applies only for //OpenWrt 22.03//, //OpenWrt 22.03.1// and //OpenWrt 22.03.2// that have an older release of // | This applies only for //OpenWrt 22.03//, //OpenWrt 22.03.1// and //OpenWrt 22.03.2// that have an older release of // | ||
| - | In ///etc/rc.local// add the below code to create the **nft set** in which we will save the IP addresses, the proposed code is **ipv4** only but can be extended to cover **ipv6** | + | In ///etc/hotplug.d/ |
| <code bash> | <code bash> | ||
| Line 97: | Line 98: | ||
| Based on this forward chain only the traffic with destination to the IP addresses included in @blackhole will be allowed. | Based on this forward chain only the traffic with destination to the IP addresses included in @blackhole will be allowed. | ||
| - | The //rc.local// is executed at boot time, so that @blackhole will be filled with IP addresses only at that stage. That **set** shall be periodically updated for two reasons: | + | The /// |
| 1. The IP addresses may change | 1. The IP addresses may change | ||
| 2. In case of DNS Load Balancing, the same DNS query will result in different IP addresses (all valid) based on time of request. | 2. In case of DNS Load Balancing, the same DNS query will result in different IP addresses (all valid) based on time of request. | ||
| Line 106: | Line 107: | ||
| </ | </ | ||
| - | In the /// | + | In the /// |
| <code bash> | <code bash> | ||
| Line 132: | Line 133: | ||
| In //CASE 2// the script will periodically query the DNS with all domains included in /// | In //CASE 2// the script will periodically query the DNS with all domains included in /// | ||
| + | |||
| + | ===== Next Improvements ===== | ||
| + | |||
| + | The command line instructions are included in /// | ||
| + | |||
| + | The rules will be reapplied at next change in status of any interface, that could also be trigged on purpose to rebuild the rules. | ||
| + | |||
| + | If in next released will be included a custom file for NFT commands that is trigged at any firewall rebuild, this problem will be solved. | ||