OpenWrt Project

User Tools

Site Tools

You are here: Welcome to the OpenWrt Project » Documentation » User guide » Firewall Documentation » fw3 Configurations » DNS-based firewall with IP sets
en
 ?

Sidebar

docs:guide-user:firewall:fw3_configurations:dns_ipset

Table of Contents

DNS-based firewall with IP sets

This article relies on the following:

Introduction

  • This how-to describes the method for setting up DNS-based firewall with IP sets on OpenWrt.
  • Follow DNS hijacking to intercept DNS queries from your LAN clients.

Goals

  • Filter LAN client traffic based on DNS with IP sets.

Instructions

Install the packages and configure IP sets for domains to block. Set up firewall rules to filter LAN client traffic which destination matches the IP sets. Configure the domains which addresses should be stored in the IP sets. 

# Install packages
opkg update
opkg remove dnsmasq
opkg install dnsmasq-full ipset
 
# Configure IP sets
uci -q delete firewall.block
uci set firewall.block="ipset"
uci set firewall.block.name="block"
uci set firewall.block.family="ipv4"
uci set firewall.block.storage="hash"
uci set firewall.block.match="ip"
uci -q delete firewall.block6
uci set firewall.block6="ipset"
uci set firewall.block6.name="block6"
uci set firewall.block6.family="ipv6"
uci set firewall.block6.storage="hash"
uci set firewall.block6.match="ip"
 
# Block LAN client traffic with IP sets
uci -q delete firewall.block_fwd
uci set firewall.block_fwd="rule"
uci set firewall.block_fwd.name="Block-IPset-DNS"
uci set firewall.block_fwd.src="lan"
uci set firewall.block_fwd.dest="wan"
uci set firewall.block_fwd.family="ipv4"
uci set firewall.block_fwd.proto="all"
uci set firewall.block_fwd.ipset="block dest"
uci set firewall.block_fwd.target="REJECT"
uci -q delete firewall.block6_fwd
uci set firewall.block6_fwd="rule"
uci set firewall.block6_fwd.name="Block-IPset-DNS"
uci set firewall.block6_fwd.src="lan"
uci set firewall.block6_fwd.dest="wan"
uci set firewall.block6_fwd.family="ipv6"
uci set firewall.block6_fwd.proto="all"
uci set firewall.block6_fwd.ipset="block6 dest"
uci set firewall.block6_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart
 
# Configure domains to block
uci -q delete dhcp.@dnsmasq[0].ipset
uci add_list dhcp.@dnsmasq[0].ipset="/example.com/block,block6"
uci add_list dhcp.@dnsmasq[0].ipset="/example.net/block,block6"
uci commit dhcp
/etc/init.d/dnsmasq restart

Testing

Flush DNS cache on the clients and restart the client browser. Verify your client traffic is properly filtered on the router.

Troubleshooting

Collect and analyze the following information. 

# Restart the services
/etc/init.d/log restart; /etc/init.d/firewall restart; /etc/init.d/dnsmasq restart
 
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
 
# Runtime configuration
pgrep -f -a dnsmasq
iptables-save
ip6tables-save
ipset list
 
# Persistent configuration
uci show dhcp; uci show firewall
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/firewall/fw3_configurations/dns_ipset.txt · Last modified: 2020/08/06 18:58 by vgaetera

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki