Nftables-unbound openwrt 19.07.7

anon40147531 · February 28, 2021, 10:17pm

This is to compile through the image-builder channel with nftables, unbound, ssl for luci, log for nftables.

We download our tar.xz, in my case:
https://downloads.openwrt.org/releases/19.07.7/targets/mvebu/cortexa9/openwrt-imagebuilder-19.07.7-mvebu-cortexa9.Linux-x86_64.tar.xz

Unzip, and edit /include/target.mk
We delete the configuration of:
DEFAULT_PACKAGES: =
DEFAULT_PACKAGES.router: =

and instead we add:

DEFAULT_PACKAGES:=uhttpd luci-mod-admin-full luci-theme-bootstrap luci-app-opkg luci-proto-ppp libiwinfo-lua luci-proto-ipv6 rpcd-mod-rrdns base-files libc libgcc busybox dropbear mtd opkg netifd fstools uclient-fetch logd urandom-seed urngd uci libustream-mbedtls20150806 px5g-mbedtls luci-app-unbound

DEFAULT_PACKAGES.router:=ppp ppp-mod-pppoe odhcpd nftables kmod-nft-core kmod-nft-nat kmod-nfnetlink kmod-nft-nat6 kmod-nft-netdev kmod-nft-offload kmod-nft-bridge kmod-nft- arp kmod-nft-fib libxtables-nft12 unbound-daemon-heavy unbound-control ca-bundle libnetfilter-log1 ulogd ulogd-mod-nflog ulogd-mod-extra ca-certificates

Note that I install unbound-daemon-heavy, you can choose whatever version of unbound you want.

Now compile.
make image PROFILE="router model"

Update the firmware on your router.

IMPORTANT NOTE:
You cannot access the router after the flash if you do not configure a fixed ip in your dhcp client, example:
192.168.1.40
255.255.255.255
gateway 192.168.1.1
Now if you have access to the router.
I didn't have access because odhcpd is not configured yet.

When you access the router for the first time, you will have to configure minimum odhcpd, unbound and nft. Following this link, search for "Unbound and odhcpd", to configure.

github.com

openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md

# Unbound Recursive DNS Server with UCI

## Unbound Description
[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.

## Package Overview
OpenWrt default build uses [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for DNS forwarding and DHCP. With a forward only resolver, dependence on the upstream recursors may be cause for concern. They are often provided by the ISP, and some users have switched to public DNS providers. Either way may result in problems due to performance, "snoop-vertising", hijacking (MiM), and other causes. Running a recursive resolver or resolver capable of TLS may be a solution.

Unbound may be useful on consumer grade embedded hardware. It is fully DNSSEC and TLS capable. It is _intended_ to be a recursive resolver only. NLnet Labs [NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control.

This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw `unbound.conf` level.

## HOW TO: Ad Blocking
The UCI scripts will work with [net/adblock](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.

A few tweaks may be needed to enhance the realiability and effectiveness. Ad Block option for delay time may need to be set for upto one minute (adb_triggerdelay), because of boot up race conditions with interfaces calling Unbound restarts. Also many smart devices (TV, microwave, or refigerator) will also use public DNS servers either as a bypass or for certain connections in general. If you wish to force exclusive DNS to your router, then you will need a firewall rule for example:

**/etc/config/firewall**:
```
config rule

This file has been truncated. show original

You can configure the wifi and configure the dropbear server to connect via ssh and upload your nftables.conf, add in rc.local
/usr/sbin/nft -f /etc/nftables.conf

You can also upload by ssh to /etc/init.d/nft

#!/bin/sh /etc/rc.common

START=90
USE_PROCD=1
CONF=/etc/nftables.conf
DESC="firewall service"
NAME=nftables
BIN=/usr/sbin/nft

start_service() {
	# Return
	#  0 if start OK
	#  2 if start NOK

	if [ ! -r "$CONF" ] ; then
		return 2
		logger -st $NAME $DESC "Error: No such config file $CONF"
	fi

	procd_open_instance
	procd_set_param command $BIN -f $CONF
	procd_append_param command || return 0
	procd_set_param file $CONF
	procd_close_instance
}

stop_service() {
	$BIN flush ruleset
	logger -st $NAME $DESC "stopped and ruleset flushed"
}

boot() {
	start
}

You need execution permissions
chmod +x /etc/init.d/nft
service nft enable

Remove from rc.local: /usr/sbin/nft -f /etc/nftables.conf
You could have service nft restart / stop / start after modifying any parameter of your nftables.conf file.

nft list ruleset

To start the firewall at the start of the router power-up.
Without this well configured file you will not have internet access.

Restart the router and enjoy
Excuse my english