Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:dns_ipset [2022/10/27 19:25] – [Introduction] fw3>fw4 update vgaeteradocs:guide-user:firewall:fw3_configurations:dns_ipset [2023/10/15 06:58] – update vgaetera
Line 1: Line 1:
 ====== Filtering traffic with IP sets by DNS ====== ====== Filtering traffic with IP sets by DNS ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 31: Line 31:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci -q delete firewall.filter${IPV/4}_fwd +uci -q delete firewall.fwd_filter${IPV%4} 
-uci set firewall.filter${IPV/4}_fwd="rule" +uci set firewall.fwd_filter${IPV%4}="rule" 
-uci set firewall.filter${IPV/4}_fwd.name="Filter-IPset-DNS-Forward" +uci set firewall.fwd_filter${IPV%4}.name="Filter-IPset-DNS-Forward" 
-uci set firewall.filter${IPV/4}_fwd.src="lan" +uci set firewall.fwd_filter${IPV%4}.src="lan" 
-uci set firewall.filter${IPV/4}_fwd.dest="wan" +uci set firewall.fwd_filter${IPV%4}.dest="wan" 
-uci set firewall.filter${IPV/4}_fwd.proto="all" +uci set firewall.fwd_filter${IPV%4}.proto="all" 
-uci set firewall.filter${IPV/4}_fwd.family="ipv${IPV}" +uci set firewall.fwd_filter${IPV%4}.family="ipv${IPV}" 
-uci set firewall.filter${IPV/4}_fwd.ipset="filter${IPV/4} dest" +uci set firewall.fwd_filter${IPV%4}.ipset="filter${IPV%4} dest" 
-uci set firewall.filter${IPV/4}_fwd.target="REJECT"+uci set firewall.fwd_filter${IPV%4}.target="REJECT"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart 
  
 # Populate IP sets # Populate IP sets
Line 57: Line 56:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/firewall restart +service firewall restart
-/etc/init.d/dnsmasq restart +
- +
-# Log and status +
-logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq+
  
 # Runtime configuration # Runtime configuration
-pgrep -f -a dnsmasq 
 nft list ruleset nft list ruleset
  
 # Persistent configuration # Persistent configuration
-uci show firewall; uci show dhcp+uci show firewall; crontab -l
 </code> </code>
  
Line 76: Line 70:
   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.
   * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains.   * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains.
 +Reboot the router to apply the changes.
  
-==== Examples ====+==== Manage domains ====
 Add/remove domains to/from the filtering list. Add/remove domains to/from the filtering list.
  
 <code bash> <code bash>
 # Add domains # Add domains
-uci add_list dhcp.filter.domain="example.org+uci add_list dhcp.filter.domain="example.com
-uci commit dhcp+uci add_list dhcp.filter.domain="example.net"
  
 # Remove domains # Remove domains
-uci del_list dhcp.filter.domain="example.org"+uci del_list dhcp.filter.domain="example.com" 
 +uci del_list dhcp.filter.domain="example.net" 
 + 
 +# Save and apply
 uci commit dhcp uci commit dhcp
- 
-# Populate IP sets 
 ipset setup ipset setup
 </code> </code>
Line 100: Line 96:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci add_list firewall.filter${IPV/4}_fwd.src_mac="11:22:33:44:55:66" +uci add_list firewall.fwd_filter${IPV%4}.src_mac="11:22:33:44:55:66" 
-uci add_list firewall.filter${IPV/4}_fwd.src_mac="aa:bb:cc:dd:ee:ff"+uci add_list firewall.fwd_filter${IPV%4}.src_mac="aa:bb:cc:dd:ee:ff"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 115: Line 111:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci set firewall.filter${IPV/4}_fwd.start_time="21:00:00" +uci set firewall.fwd_filter${IPV%4}.start_time="21:00:00" 
-uci set firewall.filter${IPV/4}_fwd.stop_time="09:00:00" +uci set firewall.fwd_filter${IPV%4}.stop_time="09:00:00" 
-uci set firewall.filter${IPV/4}_fwd.weekdays="Mon Tue Wed Thu Fri"+uci set firewall.fwd_filter${IPV%4}.weekdays="Mon Tue Wed Thu Fri"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 128: Line 124:
 <code bash> <code bash>
 # Reorder firewall rules # Reorder firewall rules
-cat << "EOF" > /etc/firewall.estab +cat << "EOF" > /etc/nftables.d/estab.sh 
-nft list chain inet fw4 forward \ +ER_RULE="$(nft -a list chain inet fw4 forward \ 
-| sed -e "/\sestablished,related\saccept\s/+| sed -n -e "/\sestablished,related\saccept\s/p")" 
-1i flush chain inet fw4 forward +RJ_RULE="$(nft -a list chain inet fw4 forward \ 
-/^\s*jump\shandle_reject$/i \ +| sed -n -e "/\shandle_reject\s/p")" 
-$(nft list chain inet fw4 forward \ +nft delete rule inet fw4 forward handle ${ER_RULE##* } 
-| sed -n -e "/\sestablished,related\saccept\s/p")" \ +nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
-nft -f - +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/firewall.estab+
 EOF EOF
 uci -q delete firewall.estab uci -q delete firewall.estab
 uci set firewall.estab="include" uci set firewall.estab="include"
-uci set firewall.estab.path="/etc/firewall.estab"+uci set firewall.estab.path="/etc/nftables.d/estab.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
  • Last modified: 2023/11/17 09:13
  • by vgaetera