Filtering traffic with IP sets by DNS

  • This how-to configures traffic filtering with IP sets by DNS on OpenWrt.
  • It relies on Dnsmasq and firewall with IP sets to resolve and filter domains.
  • Follow DNS hijacking to intercept DNS queries from your LAN clients.
  • Filter LAN client traffic with IP sets by DNS.

Install the required packages. Filter LAN client traffic with firewall and IP sets. Set up Populating IP sets and Hotplug extras to automatically populate IP sets.

# Install packages
opkg update
opkg remove dnsmasq
opkg install dnsmasq-full ipset resolveip
# Configure IP sets
uci -q delete dhcp.filter
uci set dhcp.filter="ipset"
uci add_list"filter"
uci add_list"filter6"
uci add_list dhcp.filter.domain=""
uci add_list dhcp.filter.domain=""
uci commit dhcp
/etc/init.d/dnsmasq restart
# Filter LAN client traffic with IP sets
uci -q delete firewall.filter_fwd
uci set firewall.filter_fwd="rule"
uci set"Filter-IPset-DNS-Forward"
uci set firewall.filter_fwd.src="lan"
uci set firewall.filter_fwd.dest="wan"
uci set firewall.filter_fwd.proto="all"
uci set"ipv4"
uci set firewall.filter_fwd.ipset="filter dest"
uci set"REJECT"
uci -q delete firewall.filter6_fwd
uci set firewall.filter6_fwd="rule"
uci set"Filter-IPset-DNS-Forward"
uci set firewall.filter6_fwd.src="lan"
uci set firewall.filter6_fwd.dest="wan"
uci set firewall.filter6_fwd.proto="all"
uci set"ipv6"
uci set firewall.filter6_fwd.ipset="filter6 dest"
uci set"REJECT"
uci commit firewall
/etc/init.d/firewall restart
# Resolve race conditions
cat << "EOF" > /etc/firewall.dnsmasq
/etc/init.d/dnsmasq restart
cat << "EOF" >> /etc/sysupgrade.conf
uci -q delete firewall.dnsmasq
uci set firewall.dnsmasq="include"
uci set firewall.dnsmasq.path="/etc/firewall.dnsmasq"
uci set firewall.dnsmasq.reload="1"
uci commit firewall
/etc/init.d/firewall restart
# Populate IP sets
mkdir -p /etc/hotplug.d/online
cat << "EOF" > /etc/hotplug.d/online/70-ipset-filter
if [ ! -e /var/lock/ipset-filter ] \
&& lock -n /var/lock/ipset-filter
then . /etc/profile.d/
ipset setup
lock -u /var/lock/ipset-filter
cat << "EOF" >> /etc/sysupgrade.conf
. /etc/hotplug.d/online/70-ipset-filter

Flush DNS cache on the clients and restart the client browser. Verify your client traffic is properly filtered on the router.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/firewall restart
/etc/init.d/dnsmasq restart
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
# Runtime configuration
pgrep -f -a dnsmasq
iptables-save -c; ip6tables-save -c; ipset list; nft list ruleset
# Persistent configuration
uci show firewall; uci show dhcp

If you want to manage the settings using web interface.

  • Navigate to LuCI → Network → Firewall → Traffic Rules → Filter-IPset-DNS-Forward to manage firewall rules.
  • Navigate to LuCI → Network → DHCP and DNSIP sets to manage domains.

Limit the restriction scope to a specific source MAC address.

# Apply source restriction
for FW_RULE in filter_fwd filter6_fwd
uci add_list firewall.${FW_RULE}.src_mac="11:22:33:44:55:66"
uci add_list firewall.${FW_RULE}.src_mac="aa:bb:cc:dd:ee:ff"
uci commit firewall
/etc/init.d/firewall restart

Reorder firewall rules and enable time restriction to keep the rules active. Reload kernel timezone to properly apply DST.

# Apply time restriction
for FW_RULE in filter_fwd filter6_fwd
uci set firewall.${FW_RULE}.start_time="21:00:00"
uci set firewall.${FW_RULE}.stop_time="09:00:00"
uci set firewall.${FW_RULE}.weekdays="Mon Tue Wed Thu Fri"
uci commit firewall
/etc/init.d/firewall restart

Reorder firewall rules to properly apply time restrictions.

# Reorder firewall rules
cat << "EOF" > /etc/firewall.estab
for IPT in iptables ip6tables
do ${IPT}-save -c -t filter \
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/p")" \
| ${IPT}-restore -c -T filter
cat << "EOF" >> /etc/sysupgrade.conf
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/10/09 08:56
  • by vgaetera