Filtering traffic with IP sets by DNS

  • This how-to configures traffic filtering with IP sets by DNS on OpenWrt.
  • It relies on Dnsmasq and firewall with IP sets to resolve and filter domains.
  • Follow DNS hijacking to intercept DNS queries from your LAN clients.
  • Filter LAN client traffic with IP sets by DNS.

Install the required packages. Filter LAN client traffic with firewall and IP sets. Set up IP set extras and Hotplug extras to automatically populate IP sets.

# Install packages
opkg update
opkg remove dnsmasq
opkg install dnsmasq-full ipset resolveip
# Configure IP sets
uci -q delete dhcp.filter
uci set dhcp.filter="ipset"
uci add_list"filter"
uci add_list"filter6"
uci commit dhcp
# Filter LAN client traffic with IP sets
for IPV in 4 6
uci -q delete firewall.filter${IPV%4}_fwd
uci set firewall.filter${IPV%4}_fwd="rule"
uci set firewall.filter${IPV%4}"Filter-IPset-DNS-Forward"
uci set firewall.filter${IPV%4}_fwd.src="lan"
uci set firewall.filter${IPV%4}_fwd.dest="wan"
uci set firewall.filter${IPV%4}_fwd.proto="all"
uci set firewall.filter${IPV%4}"ipv${IPV}"
uci set firewall.filter${IPV%4}_fwd.ipset="filter${IPV%4} dest"
uci set firewall.filter${IPV%4}"REJECT"
# Resolve race conditions
cat << "EOF" > /etc/firewall.dnsmasq
/etc/init.d/dnsmasq restart
cat << "EOF" >> /etc/sysupgrade.conf
uci -q delete firewall.dnsmasq
uci set firewall.dnsmasq="include"
uci set firewall.dnsmasq.path="/etc/firewall.dnsmasq"
uci set firewall.dnsmasq.reload="1"
uci commit firewall
/etc/init.d/firewall restart
uci add_list dhcp.filter.domain=""
uci commit dhcp.filter.domain
/etc/init.d/dnsmasq restart
# Populate IP sets with IPs belonging to the domain
ipset setup
uci del_list dhcp.filter.domain=""
uci commit dhcp.filter.domain
# Flush IP sets to stop blocking the IPs of the domain being removed
ipset flush filter
ipset flush filter6
/etc/init.d/dnsmasq restart
# Populate IP sets
ipset setup
# List domains added to filter
uci get dhcp.filter.domain | sed 's/ /\n/g'
# List IPs that will be blocked because they resolve to these domains
ipset list filter
ipset list filter6

Flush DNS cache on the clients and restart the client browser. Verify your client traffic is properly filtered on the router.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/firewall restart
/etc/init.d/dnsmasq restart
# Log and status
logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq
# Runtime configuration
pgrep -f -a dnsmasq
iptables-save -c; ip6tables-save -c; ipset list; nft list ruleset
# Persistent configuration
uci show firewall; uci show dhcp

If you want to manage the settings using web interface.

  • Navigate to LuCI → Network → Firewall → Traffic Rules → Filter-IPset-DNS-Forward to manage firewall rules.
  • Navigate to LuCI → Network → DHCP and DNSIP sets to manage domains.

A temporary workaround is necessary for the current stable release.

uclient-fetch -O /www/luci-static/resources/view/network/dhcp.js \

Limit the restriction scope to a specific source MAC address.

# Apply source restriction
for IPV in 4 6
uci add_list firewall.filter${IPV%4}_fwd.src_mac="11:22:33:44:55:66"
uci add_list firewall.filter${IPV%4}_fwd.src_mac="aa:bb:cc:dd:ee:ff"
uci commit firewall
/etc/init.d/firewall restart

Reorder firewall rules and enable time restriction to keep the rules active. Reload kernel timezone to properly apply DST.

# Apply time restriction
for IPV in 4 6
uci set firewall.filter${IPV%4}_fwd.start_time="21:00:00"
uci set firewall.filter${IPV%4}_fwd.stop_time="09:00:00"
uci set firewall.filter${IPV%4}_fwd.weekdays="Mon Tue Wed Thu Fri"
uci commit firewall
/etc/init.d/firewall restart

Reorder firewall rules to properly apply time restrictions.

# Reorder firewall rules
cat << "EOF" > /etc/firewall.estab
for IPV in 4 6
do ip${IPV%4}tables-save -c -t filter \
/FORWARD.*reject/i $(ip${IPV%4}tables-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/p")" \
| ip${IPV%4}tables-restore -c -T filter
cat << "EOF" >> /etc/sysupgrade.conf
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/02/22 10:47
  • by denisab85