Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:dns_ipset [2022/10/26 03:20] – [Established connections] optimize code vgaeteradocs:guide-user:firewall:fw3_configurations:dns_ipset [2023/10/15 06:58] – update vgaetera
Line 1: Line 1:
 ====== Filtering traffic with IP sets by DNS ====== ====== Filtering traffic with IP sets by DNS ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This how-to configures traffic filtering with [[https://ipset.netfilter.org/|IP sets]] by DNS on OpenWrt. +  * This how-to configures traffic filtering with [[https://wiki.nftables.org/wiki-nftables/index.php/Sets|IP sets]] by DNS on OpenWrt. 
-  * It relies on [[docs:guide-user:base-system:dhcp.dnsmasq|Dnsmasq]] and [[docs:guide-user:firewall:overview|firewall]] with [[docs:guide-user:firewall:firewall_configuration#ip_sets|IP sets]] to resolve and filter domains+  * It relies on [[packages:pkgdata:resolveip]] and [[docs:guide-user:firewall:overview|firewall]] with [[docs:guide-user:firewall:firewall_configuration#ip_sets|IP sets]] to resolve and filter domains.
-  * Follow [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] to intercept DNS queries from your LAN clients.+
  
 ===== Goals ===== ===== Goals =====
Line 18: Line 17:
 # Install packages # Install packages
 opkg update opkg update
-opkg remove dnsmasq +opkg install resolveip
-opkg install dnsmasq-full ipset resolveip+
  
 # Configure IP sets # Configure IP sets
Line 26: Line 24:
 uci add_list dhcp.filter.name="filter" uci add_list dhcp.filter.name="filter"
 uci add_list dhcp.filter.name="filter6" uci add_list dhcp.filter.name="filter6"
 +uci add_list dhcp.filter.domain="example.com"
 +uci add_list dhcp.filter.domain="example.net"
 uci commit dhcp uci commit dhcp
  
Line 31: Line 31:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci -q delete firewall.filter${IPV%4}_fwd +uci -q delete firewall.fwd_filter${IPV%4} 
-uci set firewall.filter${IPV%4}_fwd="rule" +uci set firewall.fwd_filter${IPV%4}="rule" 
-uci set firewall.filter${IPV%4}_fwd.name="Filter-IPset-DNS-Forward" +uci set firewall.fwd_filter${IPV%4}.name="Filter-IPset-DNS-Forward" 
-uci set firewall.filter${IPV%4}_fwd.src="lan" +uci set firewall.fwd_filter${IPV%4}.src="lan" 
-uci set firewall.filter${IPV%4}_fwd.dest="wan" +uci set firewall.fwd_filter${IPV%4}.dest="wan" 
-uci set firewall.filter${IPV%4}_fwd.proto="all" +uci set firewall.fwd_filter${IPV%4}.proto="all" 
-uci set firewall.filter${IPV%4}_fwd.family="ipv${IPV}" +uci set firewall.fwd_filter${IPV%4}.family="ipv${IPV}" 
-uci set firewall.filter${IPV%4}_fwd.ipset="filter${IPV%4} dest" +uci set firewall.fwd_filter${IPV%4}.ipset="filter${IPV%4} dest" 
-uci set firewall.filter${IPV%4}_fwd.target="REJECT"+uci set firewall.fwd_filter${IPV%4}.target="REJECT"
 done done
- 
-# Resolve race conditions 
-cat << "EOF" > /etc/firewall.dnsmasq 
-/etc/init.d/dnsmasq restart 
-EOF 
-cat << "EOF" >> /etc/sysupgrade.conf 
-/etc/firewall.dnsmasq 
-EOF 
-uci -q delete firewall.dnsmasq 
-uci set firewall.dnsmasq="include" 
-uci set firewall.dnsmasq.path="/etc/firewall.dnsmasq" 
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart 
- 
-</code> 
- 
-==== Add Domain Filter ==== 
-<code bash> 
-uci add_list dhcp.filter.domain="example.com" 
-uci commit dhcp.filter.domain 
- 
-/etc/init.d/dnsmasq restart 
- 
-# Populate IP sets with IPs belonging to the domain 
-ipset setup 
-</code> 
- 
-==== Remove Domain Filter ==== 
-<code bash> 
-uci del_list dhcp.filter.domain="example.com" 
-uci commit dhcp.filter.domain 
- 
-# Flush IP sets to stop blocking the IPs of the domain being removed 
-ipset flush filter 
-ipset flush filter6 
- 
-/etc/init.d/dnsmasq restart 
  
 # Populate IP sets # Populate IP sets
 ipset setup ipset setup
-</code> 
- 
-==== List Filters ==== 
-<code bash> 
-# List domains added to filter 
-uci get dhcp.filter.domain | sed 's/ /\n/g' 
- 
-# List IPs that will be blocked because they resolve to these domains 
-ipset list filter 
-ipset list filter6 
 </code> </code>
  
Line 102: Line 56:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/firewall restart +service firewall restart
-/etc/init.d/dnsmasq restart +
- +
-# Log and status +
-logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq+
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq +nft list ruleset
-iptables-save -c; ip6tables-save -c; ipset list; nft list ruleset+
  
 # Persistent configuration # Persistent configuration
-uci show firewall; uci show dhcp+uci show firewall; crontab -l
 </code> </code>
  
Line 121: Line 70:
   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.
   * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains.   * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains.
 +Reboot the router to apply the changes.
 +
 +==== Manage domains ====
 +Add/remove domains to/from the filtering list.
 +
 +<code bash>
 +# Add domains
 +uci add_list dhcp.filter.domain="example.com"
 +uci add_list dhcp.filter.domain="example.net"
 +
 +# Remove domains
 +uci del_list dhcp.filter.domain="example.com"
 +uci del_list dhcp.filter.domain="example.net"
 +
 +# Save and apply
 +uci commit dhcp
 +ipset setup
 +</code>
  
 ==== Source restriction ==== ==== Source restriction ====
Line 129: Line 96:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci add_list firewall.filter${IPV%4}_fwd.src_mac="11:22:33:44:55:66" +uci add_list firewall.fwd_filter${IPV%4}.src_mac="11:22:33:44:55:66" 
-uci add_list firewall.filter${IPV%4}_fwd.src_mac="aa:bb:cc:dd:ee:ff"+uci add_list firewall.fwd_filter${IPV%4}.src_mac="aa:bb:cc:dd:ee:ff"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 144: Line 111:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci set firewall.filter${IPV%4}_fwd.start_time="21:00:00" +uci set firewall.fwd_filter${IPV%4}.start_time="21:00:00" 
-uci set firewall.filter${IPV%4}_fwd.stop_time="09:00:00" +uci set firewall.fwd_filter${IPV%4}.stop_time="09:00:00" 
-uci set firewall.filter${IPV%4}_fwd.weekdays="Mon Tue Wed Thu Fri"+uci set firewall.fwd_filter${IPV%4}.weekdays="Mon Tue Wed Thu Fri"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 157: Line 124:
 <code bash> <code bash>
 # Reorder firewall rules # Reorder firewall rules
-cat << "EOF" > /etc/firewall.estab +cat << "EOF" > /etc/nftables.d/estab.sh 
-nft list chain inet fw4 forward \ +ER_RULE="$(nft -a list chain inet fw4 forward \ 
-| sed -e "/\sestablished,related\saccept\s/+| sed -n -e "/\sestablished,related\saccept\s/p")" 
-1i flush chain inet fw4 forward +RJ_RULE="$(nft -a list chain inet fw4 forward \ 
-/^\s*jump\shandle_reject$/i \ +| sed -n -e "/\shandle_reject\s/p")" 
-$(nft list chain inet fw4 forward \ +nft delete rule inet fw4 forward handle ${ER_RULE##* } 
-| sed -n -e "/\sestablished,related\saccept\s/p")" \ +nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
-nft -f - +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/firewall.estab+
 EOF EOF
 uci -q delete firewall.estab uci -q delete firewall.estab
 uci set firewall.estab="include" uci set firewall.estab="include"
-uci set firewall.estab.path="/etc/firewall.estab"+uci set firewall.estab.path="/etc/nftables.d/estab.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
  • Last modified: 2023/11/17 09:13
  • by vgaetera