Hi, I want to block all traffic from LAN to WAN except a few hosts for a specific device laptop(192.168.1.143). It works with static IP addresses, but not with an ipset loaded from a DNS query like github.com.
The idea is that the whole wan is blocked I have to whitelist domains. I tried to figure it out by some randomly distributed stuff from the web, but the examples are mostly for a »vanilla OpenWrt«. I think the problem is, that the default Turris OS does not use dnsmasq as DNS provider it uses a resolver configuration. I found also this thread How to use ipset with knot or remove it, but it does not help me.
config ipset
option name 'MyExample'
option match 'dest_net'
option storage 'hash'
option family 'ipv4'
option enabled '1'
config rule
option name 'laptop allow ipset MyExample'
option src 'lan'
option dest 'wan'
list src_ip '192.168.1.143'
option ipset 'MyExample'
option target 'ACCEPT'
list proto 'any'
option enabled '1'
config rule
list proto 'all'
option name 'laptop allow specific address'
list src_ip '192.168.1.143'
option dest 'wan'
list dest_ip 'some_ip_to_whitelist'
option target 'ACCEPT'
option src 'lan'
option enabled '1'
config rule
option src 'lan'
option name 'laptop no wan'
option dest 'wan'
option target 'REJECT'
list proto 'all'
list src_ip '192.168.1.143'
option enabled '1'
I see unbalanced parentheses in your kresd config. Generally it’s good to read the logs when something is wrong (you’d probably need to flip those log_* options for that, too).
# ipset list
Name: MyExample
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 368
References: 1
Number of entries: 1
Members:
140.82.121.3
But I am not yet fully satisfied:
The hard coded ipset-dns53001 port will maybe change after the next reboot. Is there a way to automate or define the port constantly for this service? I think it’s not best pratice to template a command like logread -e ipset-dns; netstat -l -n -p | grep -e ipset-dns into the kresdcustom.conf.
And there is also another issue. I need to make a DNS lookup request, to fill the IP addresses list with the related addresses for the domain in ipset list:
# nslookup -p53001 archlinux.org 127.0.0.1
has anyone an elegant solution for it? Maybe there is already a feature? I found in the OpenWRT a small script, is there no other way?