Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Filtering traffic with IP sets by DNS Introduction Goals Command-line instructions Add Domain Filter Remove Domain Filter List Filters Testing Troubleshooting Extras Web interface Source restriction Time restriction Established connections Filtering traffic with IP sets by DNS This article relies on the following: Accessing OpenWrt CLI Managing configurations Managing packages Managing services Introduction This how-to configures traffic filtering with IP sets by DNS on OpenWrt. It relies on Dnsmasq and firewall with IP sets to resolve and filter domains. Follow DNS hijacking to intercept DNS queries from your LAN clients. Goals Filter LAN client traffic with IP sets by DNS. Command-line instructions Install the required packages. Filter LAN client traffic with firewall and IP sets. Set up IP set extras and Hotplug extras to automatically populate IP sets. # Install packages opkg update opkg remove dnsmasq opkg install dnsmasq-full ipset resolveip # Configure IP sets uci -q delete dhcp.filter uci set dhcp.filter="ipset" uci add_list dhcp.filter.name="filter" uci add_list dhcp.filter.name="filter6" uci commit dhcp # Filter LAN client traffic with IP sets for IPV in 4 6 do uci -q delete firewall.filter${IPV%4}_fwd uci set firewall.filter${IPV%4}_fwd="rule" uci set firewall.filter${IPV%4}_fwd.name="Filter-IPset-DNS-Forward" uci set firewall.filter${IPV%4}_fwd.src="lan" uci set firewall.filter${IPV%4}_fwd.dest="wan" uci set firewall.filter${IPV%4}_fwd.proto="all" uci set firewall.filter${IPV%4}_fwd.family="ipv${IPV}" uci set firewall.filter${IPV%4}_fwd.ipset="filter${IPV%4} dest" uci set firewall.filter${IPV%4}_fwd.target="REJECT" done # Resolve race conditions cat << "EOF" > /etc/firewall.dnsmasq /etc/init.d/dnsmasq restart EOF cat << "EOF" >> /etc/sysupgrade.conf /etc/firewall.dnsmasq EOF uci -q delete firewall.dnsmasq uci set firewall.dnsmasq="include" uci set firewall.dnsmasq.path="/etc/firewall.dnsmasq" uci set firewall.dnsmasq.reload="1" uci commit firewall /etc/init.d/firewall restart Add Domain Filter uci add_list dhcp.filter.domain="example.com" uci commit dhcp.filter.domain /etc/init.d/dnsmasq restart # Populate IP sets with IPs belonging to the domain ipset setup Remove Domain Filter uci del_list dhcp.filter.domain="example.com" uci commit dhcp.filter.domain # Flush IP sets to stop blocking the IPs of the domain being removed ipset flush filter ipset flush filter6 /etc/init.d/dnsmasq restart # Populate IP sets ipset setup List Filters # List domains added to filter uci get dhcp.filter.domain | sed 's/ /\n/g' # List IPs that will be blocked because they resolve to these domains ipset list filter ipset list filter6 Testing Flush DNS cache on the clients and restart the client browser. Verify your client traffic is properly filtered on the router. Troubleshooting Collect and analyze the following information. # Restart services /etc/init.d/log restart; /etc/init.d/firewall restart /etc/init.d/dnsmasq restart # Log and status logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq # Runtime configuration pgrep -f -a dnsmasq iptables-save -c; ip6tables-save -c; ipset list; nft list ruleset # Persistent configuration uci show firewall; uci show dhcp Extras Web interface If you want to manage the settings using web interface. Navigate to LuCI → Network → Firewall → Traffic Rules → Filter-IPset-DNS-Forward to manage firewall rules. Navigate to LuCI → Network → DHCP and DNS → IP sets to manage domains. A temporary workaround is necessary for the current stable release. uclient-fetch -O /www/luci-static/resources/view/network/dhcp.js \ "https://raw.githubusercontent.com/openwrt/luci/master/modules/\ luci-mod-network/htdocs/luci-static/resources/view/network/dhcp.js" Source restriction Limit the restriction scope to a specific source MAC address. # Apply source restriction for IPV in 4 6 do uci add_list firewall.filter${IPV%4}_fwd.src_mac="11:22:33:44:55:66" uci add_list firewall.filter${IPV%4}_fwd.src_mac="aa:bb:cc:dd:ee:ff" done uci commit firewall /etc/init.d/firewall restart Time restriction Reorder firewall rules and enable time restriction to keep the rules active. Reload kernel timezone to properly apply DST. # Apply time restriction for IPV in 4 6 do uci set firewall.filter${IPV%4}_fwd.start_time="21:00:00" uci set firewall.filter${IPV%4}_fwd.stop_time="09:00:00" uci set firewall.filter${IPV%4}_fwd.weekdays="Mon Tue Wed Thu Fri" done uci commit firewall /etc/init.d/firewall restart Established connections Reorder firewall rules to properly apply time restrictions. # Reorder firewall rules cat << "EOF" > /etc/firewall.estab for IPV in 4 6 do ip${IPV%4}tables-save -c -t filter \ | sed -e "/FORWARD.*ESTABLISHED.*ACCEPT/d; /FORWARD.*reject/i $(ip${IPV%4}tables-save -c -t filter \ | sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/p")" \ | ip${IPV%4}tables-restore -c -T filter done EOF cat << "EOF" >> /etc/sysupgrade.conf /etc/firewall.estab EOF uci -q delete firewall.estab uci set firewall.estab="include" uci set firewall.estab.path="/etc/firewall.estab" uci set firewall.estab.reload="1" uci commit firewall /etc/init.d/firewall restart This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2022/02/22 10:47by denisab85