Firewall rule(s) for single DoT server
Moderator: Moderators
Firewall rule(s) for single DoT server
I'm trying to implement firewall rules that essentially does: "disallow all TCP traffic to remote port 853 except to family{DOT}cloudflare-dns{DOT}com". I can't figure it out and my googling hasn't turned up anything promising either, surprisingly. Please help.
Re: Firewall rule(s) for single DoT server
First question, what version are you using? This will determine whether the advice should be based on iptables or nftables.
In essence, neither of them natively supports what you’re looking for, but we can use ipsets (or nftsets) and dnsmasq to look up the FQDN and create a set.
You would then create a rule that references the set to allow it first before blocking everything else on that port.
Hope that gives you some extra help in searching for the solution, otherwise happy to keep exploring it here in the forum together.
In essence, neither of them natively supports what you’re looking for, but we can use ipsets (or nftsets) and dnsmasq to look up the FQDN and create a set.
You would then create a rule that references the set to allow it first before blocking everything else on that port.
Hope that gives you some extra help in searching for the solution, otherwise happy to keep exploring it here in the forum together.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog
Re: Firewall rule(s) for single DoT server
Appreciate any guidance you can give me; my networking chops are amateur at best. I'm running 1.15.x_20250331 for WRT1900ACSv2.
Re: Firewall rule(s) for single DoT server
So I was thinking more on this and blocking the domain name may not be necessary (at least for cloudflare). We can probably achieve this with simple IP based rules.
Try this out.
This establishes 3 rules (note that they are INSERT rules so the order is reversed in the table to the order we run the commands).
First rule allows TCP 853 traffic to the IPv6 addresses for cloudflare family DNS.
Second rule allows TCP 853 traffic to the IPv4 addresess for cloudflare family DNS.
Third rule blocks all other traffic to TCP 853.
If this achieves what you want, then we need to make it persistent.
Then go and modify /usr/share/nftables.d/chain-pre/forward_lan/10-dotblock.nft to include the following:
These rules will then auto insert into the firewall everytime it restarts.
Try this out.
Code: Select all
nft insert rule inet fw4 forward_lan tcp dport 853 reject;
nft insert rule inet fw4 forward_lan ip daddr { 1.1.1.3,1.0.0.3 } tcp dport 853 accept;
nft insert rule inet fw4 forward_lan ip6 daddr { 2606:4700:4700::1113,2606:4700:4700::1003 } tcp dport 853 accept;First rule allows TCP 853 traffic to the IPv6 addresses for cloudflare family DNS.
Second rule allows TCP 853 traffic to the IPv4 addresess for cloudflare family DNS.
Third rule blocks all other traffic to TCP 853.
If this achieves what you want, then we need to make it persistent.
Code: Select all
mkdir /usr/share/nftables.d/chain-pre/
mkdir /usr/share/nftables.d/chain-pre/forward_lan/
touch /usr/share/nftables.d/chain-pre/forward_lan/10-dotblock.nftCode: Select all
ip daddr { 1.1.1.3,1.0.0.3 } tcp dport 853 accept;
ip6 daddr { 2606:4700:4700::1113,2606:4700:4700::1003 } tcp dport 853 accept;
tcp dport 853 reject; https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog