Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:dns_ipset [2022/02/22 02:48] – Section title fixed denisab85 | docs:guide-user:firewall:fw3_configurations:dns_ipset [2023/10/15 06:58] – update vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Filtering traffic with IP sets by DNS ====== | ====== Filtering traffic with IP sets by DNS ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | * This how-to configures traffic filtering with [[https://ipset.netfilter.org/|IP sets]] by DNS on OpenWrt. | + | * This how-to configures traffic filtering with [[https://wiki.nftables.org/wiki-nftables/ |
| - | * It relies on [[docs:guide-user:base-system: | + | * It relies on [[packages:pkgdata:resolveip]] and [[docs: |
| - | * Follow [[docs: | + | |
| ===== Goals ===== | ===== Goals ===== | ||
| Line 18: | Line 17: | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg remove dnsmasq | + | opkg install resolveip |
| - | opkg install | + | |
| # Configure IP sets | # Configure IP sets | ||
| Line 26: | Line 24: | ||
| uci add_list dhcp.filter.name=" | uci add_list dhcp.filter.name=" | ||
| uci add_list dhcp.filter.name=" | uci add_list dhcp.filter.name=" | ||
| + | uci add_list dhcp.filter.domain=" | ||
| + | uci add_list dhcp.filter.domain=" | ||
| uci commit dhcp | uci commit dhcp | ||
| Line 31: | Line 31: | ||
| for IPV in 4 6 | for IPV in 4 6 | ||
| do | do | ||
| - | uci -q delete firewall.filter${IPV%4}_fwd | + | uci -q delete firewall.fwd_filter${IPV%4} |
| - | uci set firewall.filter${IPV%4}_fwd=" | + | uci set firewall.fwd_filter${IPV%4}=" |
| - | uci set firewall.filter${IPV%4}_fwd.name=" | + | uci set firewall.fwd_filter${IPV%4}.name=" |
| - | uci set firewall.filter${IPV%4}_fwd.src=" | + | uci set firewall.fwd_filter${IPV%4}.src=" |
| - | uci set firewall.filter${IPV%4}_fwd.dest=" | + | uci set firewall.fwd_filter${IPV%4}.dest=" |
| - | uci set firewall.filter${IPV%4}_fwd.proto=" | + | uci set firewall.fwd_filter${IPV%4}.proto=" |
| - | uci set firewall.filter${IPV%4}_fwd.family=" | + | uci set firewall.fwd_filter${IPV%4}.family=" |
| - | uci set firewall.filter${IPV%4}_fwd.ipset=" | + | uci set firewall.fwd_filter${IPV%4}.ipset=" |
| - | uci set firewall.filter${IPV%4}_fwd.target=" | + | uci set firewall.fwd_filter${IPV%4}.target=" |
| done | done | ||
| - | |||
| - | # Resolve race conditions | ||
| - | cat << " | ||
| - | / | ||
| - | EOF | ||
| - | cat << " | ||
| - | / | ||
| - | EOF | ||
| - | uci -q delete firewall.dnsmasq | ||
| - | uci set firewall.dnsmasq=" | ||
| - | uci set firewall.dnsmasq.path="/ | ||
| - | uci set firewall.dnsmasq.reload=" | ||
| uci commit firewall | uci commit firewall | ||
| - | / | ||
| - | |||
| - | </ | ||
| - | |||
| - | ===== Add Domain Filter ===== | ||
| - | <code bash> | ||
| - | uci add_list dhcp.filter.domain=" | ||
| - | uci commit dhcp.filter.domain | ||
| - | |||
| - | / | ||
| - | |||
| - | # Populate IP sets with IPs belonging to the domain | ||
| - | ipset setup | ||
| - | </ | ||
| - | |||
| - | ===== Remove Domain Filter ===== | ||
| - | <code bash> | ||
| - | uci del_list dhcp.filter.domain=" | ||
| - | uci commit dhcp.filter.domain | ||
| - | |||
| - | # Flush IP sets to stop blocking the IPs of the domain being removed | ||
| - | ipset flush filter | ||
| - | ipset flush filter6 | ||
| - | |||
| - | / | ||
| # Populate IP sets | # Populate IP sets | ||
| Line 93: | Line 56: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| - | / | + | |
| - | + | ||
| - | # Log and status | + | |
| - | logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq | + | |
| # Runtime configuration | # Runtime configuration | ||
| - | pgrep -f -a dnsmasq | + | nft list ruleset |
| - | iptables-save -c; ip6tables-save -c; ipset list; nft list ruleset | + | |
| # Persistent configuration | # Persistent configuration | ||
| - | uci show firewall; | + | uci show firewall; |
| </ | </ | ||
| Line 112: | Line 70: | ||
| * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules. | * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules. | ||
| * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains. | * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains. | ||
| + | Reboot the router to apply the changes. | ||
| - | A temporary workaround is necessary for the current stable release. | + | ==== Manage domains ==== |
| + | Add/remove domains to/ | ||
| <code bash> | <code bash> | ||
| - | uclient-fetch -O / | + | # Add domains |
| - | "https://raw.githubusercontent.com/ | + | uci add_list |
| - | luci-mod-network/ | + | uci add_list dhcp.filter.domain="example.net" |
| + | |||
| + | # Remove domains | ||
| + | uci del_list dhcp.filter.domain=" | ||
| + | uci del_list | ||
| + | |||
| + | # Save and apply | ||
| + | uci commit dhcp | ||
| + | ipset setup | ||
| </ | </ | ||
| Line 128: | Line 96: | ||
| for IPV in 4 6 | for IPV in 4 6 | ||
| do | do | ||
| - | uci add_list firewall.filter${IPV%4}_fwd.src_mac=" | + | uci add_list firewall.fwd_filter${IPV%4}.src_mac=" |
| - | uci add_list firewall.filter${IPV%4}_fwd.src_mac=" | + | uci add_list firewall.fwd_filter${IPV%4}.src_mac=" |
| done | done | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 143: | Line 111: | ||
| for IPV in 4 6 | for IPV in 4 6 | ||
| do | do | ||
| - | uci set firewall.filter${IPV%4}_fwd.start_time=" | + | uci set firewall.fwd_filter${IPV%4}.start_time=" |
| - | uci set firewall.filter${IPV%4}_fwd.stop_time=" | + | uci set firewall.fwd_filter${IPV%4}.stop_time=" |
| - | uci set firewall.filter${IPV%4}_fwd.weekdays=" | + | uci set firewall.fwd_filter${IPV%4}.weekdays=" |
| done | done | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 156: | Line 124: | ||
| <code bash> | <code bash> | ||
| # Reorder firewall rules | # Reorder firewall rules | ||
| - | cat << " | + | cat << " |
| - | for IPV in 4 6 | + | ER_RULE=" |
| - | do ip${IPV%4}tables-save -c -t filter | + | | sed -n -e "/\sestablished, |
| - | | sed -e "/FORWARD.*ESTABLISHED.*ACCEPT/d; | + | RJ_RULE=" |
| - | / | + | | sed -n -e "/\shandle_reject\s/ |
| - | | sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/ | + | nft delete rule inet fw4 forward handle |
| - | | ip${IPV%4}tables-restore -c -T filter | + | nft insert rule inet fw4 forward position ${RJ_RULE## |
| - | done | + | |
| - | EOF | + | |
| - | cat << " | + | |
| - | / | + | |
| EOF | EOF | ||
| uci -q delete firewall.estab | uci -q delete firewall.estab | ||
| uci set firewall.estab=" | uci set firewall.estab=" | ||
| - | uci set firewall.estab.path="/ | + | uci set firewall.estab.path="/ |
| - | uci set firewall.estab.reload=" | + | |
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||