Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:dns_ipset [2022/10/28 07:07] – [Command-line instructions] avoid errors on fw4 restart when missing an ipset referenced by a rule vgaeteradocs:guide-user:firewall:fw3_configurations:dns_ipset [2023/10/15 06:58] – update vgaetera
Line 1: Line 1:
 ====== Filtering traffic with IP sets by DNS ====== ====== Filtering traffic with IP sets by DNS ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 31: Line 31:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci -q delete firewall.filter${IPV/4}_fwd +uci -q delete firewall.fwd_filter${IPV%4} 
-uci set firewall.filter${IPV/4}_fwd="rule" +uci set firewall.fwd_filter${IPV%4}="rule" 
-uci set firewall.filter${IPV/4}_fwd.name="Filter-IPset-DNS-Forward" +uci set firewall.fwd_filter${IPV%4}.name="Filter-IPset-DNS-Forward" 
-uci set firewall.filter${IPV/4}_fwd.src="lan" +uci set firewall.fwd_filter${IPV%4}.src="lan" 
-uci set firewall.filter${IPV/4}_fwd.dest="wan" +uci set firewall.fwd_filter${IPV%4}.dest="wan" 
-uci set firewall.filter${IPV/4}_fwd.proto="all" +uci set firewall.fwd_filter${IPV%4}.proto="all" 
-uci set firewall.filter${IPV/4}_fwd.family="ipv${IPV}" +uci set firewall.fwd_filter${IPV%4}.family="ipv${IPV}" 
-uci set firewall.filter${IPV/4}_fwd.ipset="filter${IPV/4} dest" +uci set firewall.fwd_filter${IPV%4}.ipset="filter${IPV%4} dest" 
-uci set firewall.filter${IPV/4}_fwd.target="REJECT"+uci set firewall.fwd_filter${IPV%4}.target="REJECT"
 done done
 uci commit firewall uci commit firewall
Line 56: Line 56:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/firewall restart+service firewall restart
  
 # Runtime configuration # Runtime configuration
Line 62: Line 62:
  
 # Persistent configuration # Persistent configuration
-uci show firewall+uci show firewall; crontab -l
 </code> </code>
  
Line 70: Line 70:
   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.   * Navigate to **LuCI -> Network -> Firewall -> Traffic Rules -> Filter-IPset-DNS-Forward** to manage firewall rules.
   * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains.   * Navigate to **LuCI -> Network -> DHCP and DNS -> IP sets** to manage domains.
 +Reboot the router to apply the changes.
  
-==== Examples ====+==== Manage domains ====
 Add/remove domains to/from the filtering list. Add/remove domains to/from the filtering list.
  
Line 85: Line 86:
 # Save and apply # Save and apply
 uci commit dhcp uci commit dhcp
-ipset unset 
 ipset setup ipset setup
 </code> </code>
Line 96: Line 96:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci add_list firewall.filter${IPV/4}_fwd.src_mac="11:22:33:44:55:66" +uci add_list firewall.fwd_filter${IPV%4}.src_mac="11:22:33:44:55:66" 
-uci add_list firewall.filter${IPV/4}_fwd.src_mac="aa:bb:cc:dd:ee:ff"+uci add_list firewall.fwd_filter${IPV%4}.src_mac="aa:bb:cc:dd:ee:ff"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 111: Line 111:
 for IPV in 4 6 for IPV in 4 6
 do do
-uci set firewall.filter${IPV/4}_fwd.start_time="21:00:00" +uci set firewall.fwd_filter${IPV%4}.start_time="21:00:00" 
-uci set firewall.filter${IPV/4}_fwd.stop_time="09:00:00" +uci set firewall.fwd_filter${IPV%4}.stop_time="09:00:00" 
-uci set firewall.filter${IPV/4}_fwd.weekdays="Mon Tue Wed Thu Fri"+uci set firewall.fwd_filter${IPV%4}.weekdays="Mon Tue Wed Thu Fri"
 done done
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 124: Line 124:
 <code bash> <code bash>
 # Reorder firewall rules # Reorder firewall rules
-cat << "EOF" > /etc/firewall.estab +cat << "EOF" > /etc/nftables.d/estab.sh 
-nft list chain inet fw4 forward \ +ER_RULE="$(nft -a list chain inet fw4 forward \ 
-| sed -e "/\sestablished,related\saccept\s/+| sed -n -e "/\sestablished,related\saccept\s/p")" 
-1i flush chain inet fw4 forward +RJ_RULE="$(nft -a list chain inet fw4 forward \ 
-/^\s*jump\shandle_reject$/i \ +| sed -n -e "/\shandle_reject\s/p")" 
-$(nft list chain inet fw4 forward \ +nft delete rule inet fw4 forward handle ${ER_RULE##* } 
-| sed -n -e "/\sestablished,related\saccept\s/p")" \ +nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
-nft -f - +
-EOF +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/etc/firewall.estab+
 EOF EOF
 uci -q delete firewall.estab uci -q delete firewall.estab
 uci set firewall.estab="include" uci set firewall.estab="include"
-uci set firewall.estab.path="/etc/firewall.estab"+uci set firewall.estab.path="/etc/nftables.d/estab.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
  • Last modified: 2023/11/17 09:13
  • by vgaetera