3,250
edits
Changes
Jump to navigation
Jump to search
Created page with "this is a work in progress in order to allow more control on what DNS enters in your LAN. DO NOT use in production. {{WIP box|}} to protect from malware and adds, one priori..."
this is a work in progress in order to allow more control on what DNS enters in your LAN. DO NOT use in production.
{{WIP box|}}
to protect from malware and adds, one priority now is to manage your own DNS.
some will go using pihole to block adds, and limit spying on you.
next step would be to make sure that pihole does not forward to another service that could spy on you, but rather uses you own server,
finally you really want any app on your phone or your clients on your own network are only able to access your SME dns server.
== Closing port 53 from LAN to outside ==
of course you need your Server to be able to access.
<code>iptables -A INPUT -i $lan -p udp -m multiport --dports 53,853 -j DROP</code>
<code>iptables -A FORWARD -i $lan -p udp -m multiport --dports 53,853 -j DROP</code>
this will leave access to IP <code>$INTERNALDNS</code> to external world to request DNS.
<code>iptables -A FORWARD -p udp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT</code>
<code>iptables -A FORWARD -p tcp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT</code>
then closing for others
<code>iptables -A FORWARD -o $WAN -p tcp --dport 53 -j REJECT</code>
<code>iptables -A FORWARD -o $WAN -p udp --dport 53 -j REJECT</code>
== Redirect port 53 from LAN ==
<syntaxhighlight lang="bash">
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT
</syntaxhighlight>what if you want to redirect to your PiHole ?
<code>iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to $INTERNALDNS:53</code>
<code>iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $INTERNALDNS:53</code>
<code>iptables -A FORWARD -p udp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT</code>
<code>iptables -A FORWARD -p tcp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT</code>
== block DOH 443 ==
DNS over Https is what some present to you as the real way to guarantee your privacy over some companies (read here a shady hotspot, or a shady ISP) who are spying on your DNS request OR changing the results. HOwever this introduce also a way for shady apps a way to get the content they want without being filtered... time to filter them back...
TODO
way to do seems to block destination IP from a list of
ipset might be of use https://ipset.netfilter.org/
<code># Block DNS over HTTPS</code>
<code>iptables -I OUTPUT -m set --match-set Block_DoH src -j DROP</code>
<code>iptables -I INPUT -m set --match-set Block_DoH dst -j DROP</code>
or https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf with bash https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/<syntaxhighlight lang="bash">
_input=/root/firewall/badips.db
_pub_if="eth1"
_priv_if="eth0"
IPT=/sbin/iptables
### Setup our black list ###
# Create a new chain
$IPT -N droplist
# Filter out comments and blank lines
# store each ip or subnet in $ip
egrep -v "^#|^$" x | while IFS= read -r ip
do
# Append everything to droplist
$IPT -A droplist -i ${_priv_if} -d $ip --dport 443 -j LOG --log-prefix " Drop DOH ip "
$IPT -A droplist -i ${_priv_if} -d $ip --dport 443 -j DROP
done <"${_input}"
# Finally, insert or append our black list
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist
</syntaxhighlight>as pointed out in some places you might need to whitelist
== block DOT 853 ==
this is an alternative of Https, using DNS over TLS on port 853
<code># Block DNS over TLS</code>
<code>iptables -I INPUT -i $lan -p tcp --sport 853 -j DROP</code>
<code>iptables -I INPUT -i $lan -p udp --sport 853 -j DROP</code>
<code>iptables -I OUTPUT -p tcp --dport 853 -j DROP</code>
<code>iptables -I OUTPUT -p udp --dport 853 -j DROP</code>
or
<code>iptables -A INPUT -i $lan -p udp -m multiport --dports 53,853 -j DROP</code>
<code>iptables -A FORWARD -i $lan -p udp -m multiport --dports 53,853 -j DROP</code>
<code>iptables -A INPUT -i $lan -p tcp -m multiport --dports 53,853 -j DROP</code>
<code>iptables -A FORWARD -i $lan -p tcp -m multiport --dports 53,853 -j DROP</code>
testing needed in order to keep the sever free of limits.
== TODO ==
* check the pros and cons to use FORWARD vs PREROUTING in nat
* organize using proper chains
* create templates
* create contrib
== sources ==
* https://serverfault.com/questions/499435/gateway-iptables-dns-redirect
* https://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html
* https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
* https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf
* https://github.com/curl/curl/wiki/DNS-over-HTTPS
* https://serverfault.com/questions/996469/how-to-block-dns-over-https-using-iptables
[[Category:Howto]]
{{WIP box|}}
to protect from malware and adds, one priority now is to manage your own DNS.
some will go using pihole to block adds, and limit spying on you.
next step would be to make sure that pihole does not forward to another service that could spy on you, but rather uses you own server,
finally you really want any app on your phone or your clients on your own network are only able to access your SME dns server.
== Closing port 53 from LAN to outside ==
of course you need your Server to be able to access.
<code>iptables -A INPUT -i $lan -p udp -m multiport --dports 53,853 -j DROP</code>
<code>iptables -A FORWARD -i $lan -p udp -m multiport --dports 53,853 -j DROP</code>
this will leave access to IP <code>$INTERNALDNS</code> to external world to request DNS.
<code>iptables -A FORWARD -p udp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT</code>
<code>iptables -A FORWARD -p tcp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT</code>
then closing for others
<code>iptables -A FORWARD -o $WAN -p tcp --dport 53 -j REJECT</code>
<code>iptables -A FORWARD -o $WAN -p udp --dport 53 -j REJECT</code>
== Redirect port 53 from LAN ==
<syntaxhighlight lang="bash">
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT
</syntaxhighlight>what if you want to redirect to your PiHole ?
<code>iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to $INTERNALDNS:53</code>
<code>iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $INTERNALDNS:53</code>
<code>iptables -A FORWARD -p udp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT</code>
<code>iptables -A FORWARD -p tcp -s $INTERNALDNS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT</code>
== block DOH 443 ==
DNS over Https is what some present to you as the real way to guarantee your privacy over some companies (read here a shady hotspot, or a shady ISP) who are spying on your DNS request OR changing the results. HOwever this introduce also a way for shady apps a way to get the content they want without being filtered... time to filter them back...
TODO
way to do seems to block destination IP from a list of
ipset might be of use https://ipset.netfilter.org/
<code># Block DNS over HTTPS</code>
<code>iptables -I OUTPUT -m set --match-set Block_DoH src -j DROP</code>
<code>iptables -I INPUT -m set --match-set Block_DoH dst -j DROP</code>
or https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf with bash https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/<syntaxhighlight lang="bash">
_input=/root/firewall/badips.db
_pub_if="eth1"
_priv_if="eth0"
IPT=/sbin/iptables
### Setup our black list ###
# Create a new chain
$IPT -N droplist
# Filter out comments and blank lines
# store each ip or subnet in $ip
egrep -v "^#|^$" x | while IFS= read -r ip
do
# Append everything to droplist
$IPT -A droplist -i ${_priv_if} -d $ip --dport 443 -j LOG --log-prefix " Drop DOH ip "
$IPT -A droplist -i ${_priv_if} -d $ip --dport 443 -j DROP
done <"${_input}"
# Finally, insert or append our black list
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist
</syntaxhighlight>as pointed out in some places you might need to whitelist
== block DOT 853 ==
this is an alternative of Https, using DNS over TLS on port 853
<code># Block DNS over TLS</code>
<code>iptables -I INPUT -i $lan -p tcp --sport 853 -j DROP</code>
<code>iptables -I INPUT -i $lan -p udp --sport 853 -j DROP</code>
<code>iptables -I OUTPUT -p tcp --dport 853 -j DROP</code>
<code>iptables -I OUTPUT -p udp --dport 853 -j DROP</code>
or
<code>iptables -A INPUT -i $lan -p udp -m multiport --dports 53,853 -j DROP</code>
<code>iptables -A FORWARD -i $lan -p udp -m multiport --dports 53,853 -j DROP</code>
<code>iptables -A INPUT -i $lan -p tcp -m multiport --dports 53,853 -j DROP</code>
<code>iptables -A FORWARD -i $lan -p tcp -m multiport --dports 53,853 -j DROP</code>
testing needed in order to keep the sever free of limits.
== TODO ==
* check the pros and cons to use FORWARD vs PREROUTING in nat
* organize using proper chains
* create templates
* create contrib
== sources ==
* https://serverfault.com/questions/499435/gateway-iptables-dns-redirect
* https://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html
* https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
* https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf
* https://github.com/curl/curl/wiki/DNS-over-HTTPS
* https://serverfault.com/questions/996469/how-to-block-dns-over-https-using-iptables
[[Category:Howto]]