Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:dns_ipset [2021/08/30 04:19] – [Troubleshooting] vgaeteradocs:guide-user:firewall:fw3_configurations:dns_ipset [2023/10/15 06:58] – update vgaetera
Line 1: Line 1:
-====== DNS-based firewall with IP sets ====== +====== Filtering traffic with IP sets by DNS ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This how-to describes the method for setting up DNS-based firewall with [[wp>Netfilter#ipset|IP sets]] on OpenWrt. +  * This how-to configures traffic filtering with [[https://wiki.nftables.org/wiki-nftables/index.php/Sets|IP sets]] by DNS on OpenWrt. 
-  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]][[packages:pkgdata:ipset-dns|ipset-dns]] and firewall with [[docs:guide-user:firewall:firewall_configuration#ip_sets|IP sets]] to resolve and filter domains+  * It relies on [[packages:pkgdata:resolveip]] and [[docs:guide-user:firewall:overview|firewall]] with [[docs:guide-user:firewall:firewall_configuration#ip_sets|IP sets]] to resolve and filter domains.
-  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS queries from your LAN clients.+
  
 ===== Goals ===== ===== Goals =====
-  * Filter LAN client traffic based on DNS with IP sets.+  * Filter LAN client traffic with IP sets by DNS.
  
 ===== Command-line instructions ===== ===== Command-line instructions =====
-Install the packages and configure IP sets for domains to filter+Install the required packages. 
-Set up firewall rules to filter LAN client traffic which destination matches the IP sets. +Filter LAN client traffic with firewall and IP sets. 
-Configure the domains which addresses should be stored in the IP sets.+Set up [[docs:guide-user:advanced:ipset_extras|IP set extras]] and [[docs:guide-user:advanced:hotplug_extras|Hotplug extras]] to automatically populate IP sets.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install ipset ipset-dns+opkg install resolveip
  
 # Configure IP sets # Configure IP sets
-uci -q delete firewall.filter +uci -q delete dhcp.filter 
-uci set firewall.filter="ipset" +uci set dhcp.filter="ipset" 
-uci set firewall.filter.name="filter" +uci add_list dhcp.filter.name="filter" 
-uci set firewall.filter.family="ipv4+uci add_list dhcp.filter.name="filter6
-uci set firewall.filter.storage="hash+uci add_list dhcp.filter.domain="example.com
-uci set firewall.filter.match="ip" +uci add_list dhcp.filter.domain="example.net
-uci -q delete firewall.filter6 +uci commit dhcp
-uci set firewall.filter6="ipset+
-uci set firewall.filter6.name="filter6" +
-uci set firewall.filter6.family="ipv6" +
-uci set firewall.filter6.storage="hash" +
-uci set firewall.filter6.match="ip"+
  
 # Filter LAN client traffic with IP sets # Filter LAN client traffic with IP sets
-uci -q delete firewall.filter_fwd +for IPV in 4 6 
-uci set firewall.filter_fwd="rule" +do 
-uci set firewall.filter_fwd.name="Filter-IPset-DNS-Forward" +uci -q delete firewall.fwd_filter${IPV%4} 
-uci set firewall.filter_fwd.src="lan" +uci set firewall.fwd_filter${IPV%4}="rule" 
-uci set firewall.filter_fwd.dest="wan" +uci set firewall.fwd_filter${IPV%4}.name="Filter-IPset-DNS-Forward" 
-uci set firewall.filter_fwd.proto="all" +uci set firewall.fwd_filter${IPV%4}.src="lan" 
-uci set firewall.filter_fwd.family="ipv4+uci set firewall.fwd_filter${IPV%4}.dest="wan" 
-uci set firewall.filter_fwd.ipset="filter dest" +uci set firewall.fwd_filter${IPV%4}.proto="all" 
-uci set firewall.filter_fwd.target="REJECT" +uci set firewall.fwd_filter${IPV%4}.family="ipv${IPV}
-uci -q delete firewall.filter6_fwd +uci set firewall.fwd_filter${IPV%4}.ipset="filter${IPV%4} dest" 
-uci set firewall.filter6_fwd="rule" +uci set firewall.fwd_filter${IPV%4}.target="REJECT" 
-uci set firewall.filter6_fwd.name="Filter-IPset-DNS-Forward" +done
-uci set firewall.filter6_fwd.src="lan" +
-uci set firewall.filter6_fwd.dest="wan" +
-uci set firewall.filter6_fwd.proto="all" +
-uci set firewall.filter6_fwd.family="ipv6" +
-uci set firewall.filter6_fwd.ipset="filter6 dest" +
-uci set firewall.filter6_fwd.target="REJECT"+
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart 
  
-Configure ipset-dns +Populate IP sets 
-uci set ipset-dns.@ipset-dns[0].ipset="filter" +ipset setup
-uci set ipset-dns.@ipset-dns[0].ipset6="filter6" +
-uci commit ipset-dns +
-/etc/init.d/ipset-dns restart +
- +
-# Resolve race conditions +
-cat << "EOF" > /etc/firewall.ipsetdns +
-/etc/init.d/ipset-dns restart +
-/etc/init.d/dnsmasq restart +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/firewall.ipsetdns +
-EOF +
-uci -q delete firewall.ipsetdns +
-uci set firewall.ipsetdns="include" +
-uci set firewall.ipsetdns.path="/etc/firewall.ipsetdns" +
-uci set firewall.ipsetdns.reload="1" +
-uci commit firewall +
-/etc/init.d/firewall restart +
- +
-# Configure domains to filter +
-uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#53001" +
-uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#53001" +
-uci commit dhcp +
-/etc/init.d/dnsmasq restart+
 </code> </code>
  
Line 93: Line 56:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/firewall restart +service firewall restart
-/etc/init.d/ipset-dns restart; /etc/init.d/dnsmasq restart +
- +
-# Log and status +
-logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq +
-logread -e ipset-dns; netstat -l -n -p | grep -e ipset-dns+
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq; pgrep -f -a ipset-dns +nft list ruleset
-iptables-save -c; ip6tables-save -c; ipset list+
  
 # Persistent configuration # Persistent configuration
-uci show firewall; uci show dhcp; uci show ipset-dns+uci show firewall; crontab -l
 </code> </code>
  
Line 112: Line 69:
 If you want to manage the settings using web interface. If you want to manage the settings using web interface.
   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.
-  * Navigate to **LuCI -> Network -> DHCP and DNS -> General Settings -> DNS forwardings** to manage domains.+  * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains
 +Reboot the router to apply the changes.
  
-==== Preresolve domains ==== +==== Manage domains ==== 
-Set up [[docs:guide-user:advanced:hotplug_extras|Hotplug extras]] to preresolve domains and populate IP sets at startup. +Add/remove domains to/from the filtering list.
-Use persistent IP sets.+
  
 <code bash> <code bash>
-Install packages +Add domains 
-opkg update +uci add_list dhcp.filter.domain="example.com" 
-opkg install resolveip+uci add_list dhcp.filter.domain="example.net"
  
-Populate IP sets +Remove domains 
-mkdir -p /etc/hotplug.d/online +uci del_list dhcp.filter.domain="example.com
-cat << "EOF" > /etc/hotplug.d/online/70-ipset-filter +uci del_list dhcp.filter.domain="example.net
-if [ ! -e /var/lock/ipset-filter ] \ + 
-&& lock -n /var/lock/ipset-filter +# Save and apply 
-then +uci commit dhcp 
-uci -q delete firewall.filter.entry +ipset setup
-uci -q delete firewall.filter6.entry +
-uci get dhcp.@dnsmasq[0].server \ +
-| sed -e "s/\s/\n/g"+
-| sed -n -e "s/^\///;s/\/.*$//p"+
-| while read -r IPSET_DOMAIN +
-do +
-resolveip -4 "${IPSET_DOMAIN}"+
-| while read -r IPSET_ADDR +
-do +
-uci del_list firewall.filter.entry="${IPSET_ADDR}" +
-uci add_list firewall.filter.entry="${IPSET_ADDR}" +
-done +
-resolveip -6 "${IPSET_DOMAIN}"+
-| while read -r IPSET_ADDR +
-do +
-uci del_list firewall.filter6.entry="${IPSET_ADDR}" +
-uci add_list firewall.filter6.entry="${IPSET_ADDR}+
-done +
-done +
-uci commit firewall +
-/etc/init.d/firewall restart +
-lock -u /var/lock/ipset-filter +
-fi +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/hotplug.d/online/70-ipset-filter +
-EOF +
-. /etc/hotplug.d/online/70-ipset-filter+
 </code> </code>
  
Line 165: Line 94:
 <code bash> <code bash>
 # Apply source restriction # Apply source restriction
-for FW_RULE in filter_fwd filter6_fwd+for IPV in 4 6
 do do
-uci add_list firewall.${FW_RULE}.src_mac="11:22:33:44:55:66" +uci add_list firewall.fwd_filter${IPV%4}.src_mac="11:22:33:44:55:66" 
-uci add_list firewall.${FW_RULE}.src_mac="aa:bb:cc:dd:ee:ff"+uci add_list firewall.fwd_filter${IPV%4}.src_mac="aa:bb:cc:dd:ee:ff"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 180: Line 109:
 <code bash> <code bash>
 # Apply time restriction # Apply time restriction
-for FW_RULE in filter_fwd filter6_fwd+for IPV in 4 6
 do do
-uci set firewall.${FW_RULE}.start_time="21:00:00" +uci set firewall.fwd_filter${IPV%4}.start_time="21:00:00" 
-uci set firewall.${FW_RULE}.stop_time="09:00:00" +uci set firewall.fwd_filter${IPV%4}.stop_time="09:00:00" 
-uci set firewall.${FW_RULE}.weekdays="Mon Tue Wed Thu Fri"+uci set firewall.fwd_filter${IPV%4}.weekdays="Mon Tue Wed Thu Fri"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 195: Line 124:
 <code bash> <code bash>
 # Reorder firewall rules # Reorder firewall rules
-cat << "EOF" > /etc/firewall.estab +cat << "EOF" > /etc/nftables.d/estab.sh 
-for IPT in iptables ip6tables +ER_RULE="$(nft -a list chain inet fw4 forward 
-do ${IPT}-save -c -t filter +| sed -n -e "/\sestablished,related\saccept\s/p")" 
-| sed -e "/FORWARD.*ESTABLISHED.*ACCEPT/d; +RJ_RULE="$(nft -a list chain inet fw4 forward 
-/FORWARD.*reject/$(${IPT}-save -c -t filter +| sed -n -e "/\shandle_reject\s/p")" 
-| sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/p")" \ +nft delete rule inet fw4 forward handle ${ER_RULE##
-${IPT}-restore -c -T filter +nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
-done +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/firewall.estab+
 EOF EOF
 uci -q delete firewall.estab uci -q delete firewall.estab
 uci set firewall.estab="include" uci set firewall.estab="include"
-uci set firewall.estab.path="/etc/firewall.estab+uci set firewall.estab.path="/etc/nftables.d/estab.sh"
-uci set firewall.estab.reload="1"+
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
  • Last modified: 2023/11/17 09:13
  • by vgaetera