Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:dns_ipset [2021/08/15 17:44] – unify headers vgaetera | docs:guide-user:firewall:fw3_configurations:dns_ipset [2023/10/15 06:58] – update vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | * This how-to | + | * This how-to |
| - | * It relies on [[docs:guide-user:base-system: | + | * It relies on [[packages:pkgdata:resolveip]] and [[docs:guide-user: |
| - | * Follow [[docs: | + | |
| ===== Goals ===== | ===== Goals ===== | ||
| - | * Filter LAN client traffic | + | * Filter LAN client traffic with IP sets by DNS. |
| ===== Command-line instructions ===== | ===== Command-line instructions ===== | ||
| - | Install the packages | + | Install the required |
| - | Set up firewall rules to filter | + | Filter |
| - | Configure the domains which addresses should be stored in the IP sets. | + | Set up [[docs: |
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install | + | opkg install |
| # Configure IP sets | # Configure IP sets | ||
| - | uci -q delete | + | uci -q delete |
| - | uci set firewall.filter=" | + | uci set dhcp.filter=" |
| - | uci set firewall.filter.name=" | + | uci add_list dhcp.filter.name=" |
| - | uci set firewall.filter.family="ipv4" | + | uci add_list dhcp.filter.name="filter6" |
| - | uci set firewall.filter.storage="hash" | + | uci add_list dhcp.filter.domain="example.com" |
| - | uci set firewall.filter.match="ip" | + | uci add_list dhcp.filter.domain="example.net" |
| - | uci -q delete firewall.filter6 | + | uci commit dhcp |
| - | uci set firewall.filter6=" | + | |
| - | uci set firewall.filter6.name=" | + | |
| - | uci set firewall.filter6.family=" | + | |
| - | uci set firewall.filter6.storage=" | + | |
| - | uci set firewall.filter6.match=" | + | |
| # Filter LAN client traffic with IP sets | # Filter LAN client traffic with IP sets | ||
| - | uci -q delete firewall.filter_fwd | + | for IPV in 4 6 |
| - | uci set firewall.filter_fwd=" | + | do |
| - | uci set firewall.filter_fwd.name=" | + | uci -q delete firewall.fwd_filter${IPV%4} |
| - | uci set firewall.filter_fwd.src=" | + | uci set firewall.fwd_filter${IPV%4}=" |
| - | uci set firewall.filter_fwd.dest=" | + | uci set firewall.fwd_filter${IPV%4}.name=" |
| - | uci set firewall.filter_fwd.proto=" | + | uci set firewall.fwd_filter${IPV%4}.src=" |
| - | uci set firewall.filter_fwd.family=" | + | uci set firewall.fwd_filter${IPV%4}.dest=" |
| - | uci set firewall.filter_fwd.ipset=" | + | uci set firewall.fwd_filter${IPV%4}.proto=" |
| - | uci set firewall.filter_fwd.target=" | + | uci set firewall.fwd_filter${IPV%4}.family=" |
| - | uci -q delete firewall.filter6_fwd | + | uci set firewall.fwd_filter${IPV%4}.ipset=" |
| - | uci set firewall.filter6_fwd=" | + | uci set firewall.fwd_filter${IPV%4}.target=" |
| - | uci set firewall.filter6_fwd.name=" | + | done |
| - | uci set firewall.filter6_fwd.src=" | + | |
| - | uci set firewall.filter6_fwd.dest=" | + | |
| - | uci set firewall.filter6_fwd.proto=" | + | |
| - | uci set firewall.filter6_fwd.family=" | + | |
| - | uci set firewall.filter6_fwd.ipset=" | + | |
| - | uci set firewall.filter6_fwd.target=" | + | |
| uci commit firewall | uci commit firewall | ||
| - | / | ||
| - | # Configure ipset-dns | + | # Populate IP sets |
| - | uci set ipset-dns.@ipset-dns[0].ipset=" | + | ipset setup |
| - | uci set ipset-dns.@ipset-dns[0].ipset6=" | + | |
| - | uci commit ipset-dns | + | |
| - | / | + | |
| - | + | ||
| - | # Resolve race conditions | + | |
| - | cat << " | + | |
| - | / | + | |
| - | / | + | |
| - | EOF | + | |
| - | cat << " | + | |
| - | / | + | |
| - | EOF | + | |
| - | uci -q delete firewall.ipsetdns | + | |
| - | uci set firewall.ipsetdns=" | + | |
| - | uci set firewall.ipsetdns.path="/ | + | |
| - | uci set firewall.ipsetdns.reload=" | + | |
| - | uci commit firewall | + | |
| - | / | + | |
| - | + | ||
| - | # Configure domains to filter | + | |
| - | uci add_list dhcp.@dnsmasq[0].server="/ | + | |
| - | uci add_list dhcp.@dnsmasq[0].server="/ | + | |
| - | uci commit dhcp | + | |
| - | / | + | |
| </ | </ | ||
| Line 93: | Line 56: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| - | / | + | |
| - | + | ||
| - | # Log and status | + | |
| - | logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq | + | |
| - | logread -e ipset-dns; netstat -l -n -p | grep -e ipset-dns | + | |
| # Runtime configuration | # Runtime configuration | ||
| - | pgrep -f -a dnsmasq; pgrep -f -a ipset-dns | + | nft list ruleset |
| - | iptables-save; | + | |
| # Persistent configuration | # Persistent configuration | ||
| - | uci show firewall; | + | uci show firewall; |
| </ | </ | ||
| Line 112: | Line 69: | ||
| If you want to manage the settings using web interface. | If you want to manage the settings using web interface. | ||
| * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules. | * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules. | ||
| - | * Navigate to **LuCI -> Network -> DHCP and DNS -> General Settings -> DNS forwardings** to manage domains. | + | * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains. |
| + | Reboot the router to apply the changes. | ||
| - | ==== Preresolve | + | ==== Manage |
| - | Set up [[docs: | + | Add/remove domains |
| - | Use persistent IP sets. | + | |
| <code bash> | <code bash> | ||
| - | # Install packages | + | # Add domains |
| - | opkg update | + | uci add_list dhcp.filter.domain=" |
| - | opkg install resolveip | + | uci add_list dhcp.filter.domain=" |
| - | # Populate IP sets | + | # Remove domains |
| - | mkdir -p / | + | uci del_list |
| - | cat << " | + | uci del_list |
| - | if [ ! -e / | + | |
| - | && lock -n / | + | # Save and apply |
| - | then | + | uci commit |
| - | uci -q delete firewall.filter.entry | + | ipset setup |
| - | uci -q delete firewall.filter6.entry | + | |
| - | uci get dhcp.@dnsmasq[0].server \ | + | |
| - | | sed -e " | + | |
| - | | sed -n -e " | + | |
| - | | while read -r IPSET_DOMAIN | + | |
| - | do | + | |
| - | resolveip -4 " | + | |
| - | | while read -r IPSET_ADDR | + | |
| - | do | + | |
| - | uci del_list firewall.filter.entry="${IPSET_ADDR}" | + | |
| - | uci add_list firewall.filter.entry=" | + | |
| - | done | + | |
| - | resolveip -6 " | + | |
| - | | while read -r IPSET_ADDR | + | |
| - | do | + | |
| - | uci del_list | + | |
| - | uci add_list firewall.filter6.entry=" | + | |
| - | done | + | |
| - | done | + | |
| - | uci commit | + | |
| - | / | + | |
| - | lock -u /var/lock/ipset-filter | + | |
| - | fi | + | |
| - | EOF | + | |
| - | cat << " | + | |
| - | / | + | |
| - | EOF | + | |
| - | . / | + | |
| </ | </ | ||
| Line 165: | Line 94: | ||
| <code bash> | <code bash> | ||
| # Apply source restriction | # Apply source restriction | ||
| - | for FW_RULE | + | for IPV in 4 6 |
| do | do | ||
| - | uci add_list firewall.${FW_RULE}.src_mac=" | + | uci add_list firewall.fwd_filter${IPV%4}.src_mac=" |
| - | uci add_list firewall.${FW_RULE}.src_mac=" | + | uci add_list firewall.fwd_filter${IPV%4}.src_mac=" |
| done | done | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 180: | Line 109: | ||
| <code bash> | <code bash> | ||
| # Apply time restriction | # Apply time restriction | ||
| - | for FW_RULE | + | for IPV in 4 6 |
| do | do | ||
| - | uci set firewall.${FW_RULE}.start_time=" | + | uci set firewall.fwd_filter${IPV%4}.start_time=" |
| - | uci set firewall.${FW_RULE}.stop_time=" | + | uci set firewall.fwd_filter${IPV%4}.stop_time=" |
| - | uci set firewall.${FW_RULE}.weekdays=" | + | uci set firewall.fwd_filter${IPV%4}.weekdays=" |
| done | done | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 195: | Line 124: | ||
| <code bash> | <code bash> | ||
| # Reorder firewall rules | # Reorder firewall rules | ||
| - | cat << " | + | cat << " |
| - | for IPT in iptables ip6tables | + | ER_RULE=" |
| - | do ${IPT}-save -c -t filter | + | | sed -n -e "/\sestablished, |
| - | | sed -e "/FORWARD.*ESTABLISHED.*ACCEPT/d; | + | RJ_RULE=" |
| - | / | + | | sed -n -e "/\shandle_reject\s/ |
| - | | sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/ | + | nft delete rule inet fw4 forward handle |
| - | | ${IPT}-restore -c -T filter | + | nft insert rule inet fw4 forward position ${RJ_RULE## |
| - | done | + | |
| - | EOF | + | |
| - | cat << " | + | |
| - | / | + | |
| EOF | EOF | ||
| uci -q delete firewall.estab | uci -q delete firewall.estab | ||
| uci set firewall.estab=" | uci set firewall.estab=" | ||
| - | uci set firewall.estab.path="/ | + | uci set firewall.estab.path="/ |
| - | uci set firewall.estab.reload=" | + | |
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||