Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:dns_ipset [2021/10/08 15:34] – [Command-line instructions] vgaeteradocs:guide-user:firewall:fw3_configurations:dns_ipset [2023/10/15 06:58] – update vgaetera
Line 1: Line 1:
-====== DNS-based firewall with IP sets ====== +====== Filtering traffic with IP sets by DNS ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This how-to describes the method for setting up DNS-based firewall with [[wp>Netfilter#ipset|IP sets]] on OpenWrt. +  * This how-to configures traffic filtering with [[https://wiki.nftables.org/wiki-nftables/index.php/Sets|IP sets]] by DNS on OpenWrt. 
-  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:firewall:overview|firewall]] with [[docs:guide-user:firewall:firewall_configuration#ip_sets|IP sets]] to resolve and filter domains+  * It relies on [[packages:pkgdata:resolveip]] and [[docs:guide-user:firewall:overview|firewall]] with [[docs:guide-user:firewall:firewall_configuration#ip_sets|IP sets]] to resolve and filter domains.
-  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS queries from your LAN clients.+
  
 ===== Goals ===== ===== Goals =====
-  * Filter LAN client traffic based on DNS with IP sets.+  * Filter LAN client traffic with IP sets by DNS.
  
 ===== Command-line instructions ===== ===== Command-line instructions =====
 Install the required packages. Install the required packages.
 Filter LAN client traffic with firewall and IP sets. Filter LAN client traffic with firewall and IP sets.
-Set up [[docs:guide-user:firewall:fw3_configurations:ipset|Populating IP sets]] and [[docs:guide-user:advanced:hotplug_extras|Hotplug extras]] to automatically populate IP sets.+Set up [[docs:guide-user:advanced:ipset_extras|IP set extras]] and [[docs:guide-user:advanced:hotplug_extras|Hotplug extras]] to automatically populate IP sets.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg remove dnsmasq +opkg install resolveip
-opkg install dnsmasq-full ipset resolveip+
  
 # Configure IP sets # Configure IP sets
Line 29: Line 27:
 uci add_list dhcp.filter.domain="example.net" uci add_list dhcp.filter.domain="example.net"
 uci commit dhcp uci commit dhcp
-/etc/init.d/dnsmasq restart 
  
 # Filter LAN client traffic with IP sets # Filter LAN client traffic with IP sets
-uci -q delete firewall.filter_fwd +for IPV in 4 6 
-uci set firewall.filter_fwd="rule" +do 
-uci set firewall.filter_fwd.name="Filter-IPset-DNS-Forward" +uci -q delete firewall.fwd_filter${IPV%4} 
-uci set firewall.filter_fwd.src="lan" +uci set firewall.fwd_filter${IPV%4}="rule" 
-uci set firewall.filter_fwd.dest="wan" +uci set firewall.fwd_filter${IPV%4}.name="Filter-IPset-DNS-Forward" 
-uci set firewall.filter_fwd.proto="all" +uci set firewall.fwd_filter${IPV%4}.src="lan" 
-uci set firewall.filter_fwd.family="ipv4" +uci set firewall.fwd_filter${IPV%4}.dest="wan" 
-uci set firewall.filter_fwd.ipset="filter dest" +uci set firewall.fwd_filter${IPV%4}.proto="all" 
-uci set firewall.filter_fwd.target="REJECT" +uci set firewall.fwd_filter${IPV%4}.family="ipv${IPV}
-uci -q delete firewall.filter6_fwd +uci set firewall.fwd_filter${IPV%4}.ipset="filter${IPV%4} dest" 
-uci set firewall.filter6_fwd="rule" +uci set firewall.fwd_filter${IPV%4}.target="REJECT" 
-uci set firewall.filter6_fwd.name="Filter-IPset-DNS-Forward" +done
-uci set firewall.filter6_fwd.src="lan" +
-uci set firewall.filter6_fwd.dest="wan" +
-uci set firewall.filter6_fwd.proto="all" +
-uci set firewall.filter6_fwd.family="ipv6+
-uci set firewall.filter6_fwd.ipset="filter6 dest" +
-uci set firewall.filter6_fwd.target="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
- +
-# Resolve race conditions +
-cat << "EOF" > /etc/firewall.dnsmasq +
-/etc/init.d/dnsmasq restart +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/firewall.dnsmasq +
-EOF +
-uci -q delete firewall.dnsmasq +
-uci set firewall.dnsmasq="include" +
-uci set firewall.dnsmasq.path="/etc/firewall.dnsmasq" +
-uci set firewall.dnsmasq.reload="1"+
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart 
  
 # Populate IP sets # Populate IP sets
-mkdir -p /etc/hotplug.d/online 
-cat << "EOF" > /etc/hotplug.d/online/70-ipset-filter 
-if [ ! -e /var/lock/ipset-filter ] \ 
-&& lock -n /var/lock/ipset-filter 
-then . /etc/profile.d/ipset.sh 
 ipset setup ipset setup
-lock -u /var/lock/ipset-filter 
-fi 
-EOF 
-cat << "EOF" >> /etc/sysupgrade.conf 
-/etc/hotplug.d/online/70-ipset-filter 
-EOF 
-. /etc/hotplug.d/online/70-ipset-filter 
 </code> </code>
  
Line 92: Line 56:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/firewall restart +service firewall restart
-/etc/init.d/dnsmasq restart +
- +
-# Log and status +
-logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq+
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq +nft list ruleset
-iptables-save -c; ip6tables-save -c; ipset list; nft list ruleset+
  
 # Persistent configuration # Persistent configuration
-uci show firewall; uci show dhcp+uci show firewall; crontab -l
 </code> </code>
  
Line 111: Line 70:
   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.
   * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains.   * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains.
 +Reboot the router to apply the changes.
 +
 +==== Manage domains ====
 +Add/remove domains to/from the filtering list.
 +
 +<code bash>
 +# Add domains
 +uci add_list dhcp.filter.domain="example.com"
 +uci add_list dhcp.filter.domain="example.net"
 +
 +# Remove domains
 +uci del_list dhcp.filter.domain="example.com"
 +uci del_list dhcp.filter.domain="example.net"
 +
 +# Save and apply
 +uci commit dhcp
 +ipset setup
 +</code>
  
 ==== Source restriction ==== ==== Source restriction ====
Line 117: Line 94:
 <code bash> <code bash>
 # Apply source restriction # Apply source restriction
-for FW_RULE in filter_fwd filter6_fwd+for IPV in 4 6
 do do
-uci add_list firewall.${FW_RULE}.src_mac="11:22:33:44:55:66" +uci add_list firewall.fwd_filter${IPV%4}.src_mac="11:22:33:44:55:66" 
-uci add_list firewall.${FW_RULE}.src_mac="aa:bb:cc:dd:ee:ff"+uci add_list firewall.fwd_filter${IPV%4}.src_mac="aa:bb:cc:dd:ee:ff"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 132: Line 109:
 <code bash> <code bash>
 # Apply time restriction # Apply time restriction
-for FW_RULE in filter_fwd filter6_fwd+for IPV in 4 6
 do do
-uci set firewall.${FW_RULE}.start_time="21:00:00" +uci set firewall.fwd_filter${IPV%4}.start_time="21:00:00" 
-uci set firewall.${FW_RULE}.stop_time="09:00:00" +uci set firewall.fwd_filter${IPV%4}.stop_time="09:00:00" 
-uci set firewall.${FW_RULE}.weekdays="Mon Tue Wed Thu Fri"+uci set firewall.fwd_filter${IPV%4}.weekdays="Mon Tue Wed Thu Fri"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 147: Line 124:
 <code bash> <code bash>
 # Reorder firewall rules # Reorder firewall rules
-cat << "EOF" > /etc/firewall.estab +cat << "EOF" > /etc/nftables.d/estab.sh 
-for IPT in iptables ip6tables +ER_RULE="$(nft -a list chain inet fw4 forward 
-do ${IPT}-save -c -t filter +| sed -n -e "/\sestablished,related\saccept\s/p")" 
-| sed -e "/FORWARD.*ESTABLISHED.*ACCEPT/d; +RJ_RULE="$(nft -a list chain inet fw4 forward 
-/FORWARD.*reject/$(${IPT}-save -c -t filter +| sed -n -e "/\shandle_reject\s/p")" 
-| sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/p")" \ +nft delete rule inet fw4 forward handle ${ER_RULE##
-${IPT}-restore -c -T filter +nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
-done +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/firewall.estab+
 EOF EOF
 uci -q delete firewall.estab uci -q delete firewall.estab
 uci set firewall.estab="include" uci set firewall.estab="include"
-uci set firewall.estab.path="/etc/firewall.estab+uci set firewall.estab.path="/etc/nftables.d/estab.sh"
-uci set firewall.estab.reload="1"+
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
  • Last modified: 2023/11/17 09:13
  • by vgaetera