So this question is as much of a learning exercise for me as it is for real-world use (although it has been inspired by some 'real world' problems). Firstly, I've been using computers since Win98 / Pentium 2 days, Gentoo for the last 15 or so, and I've got a M.Eng (Electronic) so I'm hardly new at some things. In some respects I know a fair bit about computers, but in others (especially networking) I have absolutely no idea and need some hand-holding. I've researched a few answers to these questions already but some of what I've read either makes no sense or assumes too much prior knowledge on the part of the reader.
I've had an openwrt (well, LEDE, actually) image on an RPi3 for a year or so, and I want to use another spare RPi3 to create this system. Let's just assume for this question that I've got a PC, connected to an RPi3 running OpenWRT, connected to the internets. (It doesn't matter what the PC is running, win/lin etc, lets just assume that it has some software that is totally not under my control with regards to how / when it connects to the internet, but I'd like it to be reigned in using the external Pi router)
In short, I'm interested in the different ways of creating an automatically-blacklist-everything specific-whitelist openwrt router, which logs every request coming from the PC, allows me to read the logs to see what is being requested, so I can then whitelist those I wish to allow. I know there are a few ways this can be done, so I'll split everything into sections:
It's easy enough setting my PC (at least, on a system level, eg resolv.conf) to use my PiRouter as a DNS server, been doing that for years.
What I want to do for this system is to log (on my Pi) every request that comes from my PC and automatically blacklists everything (resolves to 127.0.0.1 or something like that?).
If a request comes from my PC for a whitelisted site (say openwrt.org), the Pi itself will do the DNS lookup (say from opendns' 188.8.131.52), and serve the resolved IP back to the PC (I'm pretty sure that this is already what happens under normal circumstances anyway).
But what I don't want to happen is a rogue application on my PC bypassing the system-wide DNS setting and trying to connect to a DNS server directly instead. Is there any way to intercept these if the PC tries to use a different DNS server other than the Pi? (besides blocking the IP address of whatever DNS server it's trying to use instead, as in the next section)
Preliminary reading suggests dnsmasq has something to do with this answer, but I'm not quite sure how to set it up yet.
Say some PC application has a hard-coded IP address for something, it won't need to do a DNS lookup and it'll just try to connect straight to that site. I want to, again, automatically block and log all outgoing connections, and explicitly only allow ones on a whitelist.
Obviously, connected with the above section, once I've allowed the DNS lookup of a site, I'll have to whitelist the IP address that it resolves to as well.
Also if, say, I block my PC from directly accessing, say, the google DNS server (184.108.40.206) (to stop the PC doing its own DNS lookups), will that also block my Pi from doing its own DNS lookups at that same 220.127.116.11 server?
Transports and Ports:
(this is where my knowledge of networking gets really fuzzy).
Say I want to only allow TCP traffic and deny all UDP traffic?
Say I only want to allow the browser on the PC to access the internets using port 443 (https) and block all port 80 (http) traffic?
Or specifically allow something (like a Steam game, for example) access through the router to the internets but block something else? (From a quick search for Steam ports, lets say enable UDP port 27015 for games but block UDP port 3478 for voice chat).
How about allow ssh access (TCP 22) from my PC into the Pi3 (for admin etc), but deny ssh from the PC through the Pi to a remote computer somewhere else on the internets?
Or how about block all IPv6 traffic and only allow IPv4 (or vice-versa)?
Anyway, so this is a bit of an open-ended question so I expect an open-ended answer. Like I said this is as much a learning exercise as anything else, I know it would be very clunky to implement on a daily basis but that's really not the point (so don't bother trying to talk me out of it).
Thanks in advance for help and suggestions.
(ps, I have investigated certain 'addons' and/or 'plugins' to openwrt, like adblock etc. But I'd prefer to stay away from too much automated stuff as much as possible and keep this as simple and manual as possible unless there really are no other ways to accomplish what i'm trying to achieve)
(pps, obviously I want to block everything coming in unsolicited from the internets back to the PC, proper firewall style, only allowing in pages that I've explicitly requested. I do hope that the default settings of OpenWRT work like this or I've been under the wrong impression for the year or two I've already been using it)