I'm just in the process of upgrading my 15.05 system to 19.07 and copying across all my customisations.
I figured I'd post this script, since some of you may find it useful. It's a firewall user script that redirects any dns queries from internal hosts to the openwrt host. You'll find many android devices, for example, simply ignore the dns settings in the dhcp lease and just use Google's servers, for example.
This can pose a problem if you're using dnsmasq to do clever things like put an IP address into a ipset based on a canonical name DNS query match, which ipset then gets used to do policy based routing through a VPN. If your android devices are not using dnsmasq to resolve DNS queries, then your policy routing won't work.
I also find it undesirable for internal hosts to decide on their own DNS server.
So, to use this script, you'll need to add a line to your firewall config /etc/config/firewall thus:
config include
option path '/etc/firewall.dns'
Then create the file /etc/firewall.dns and make it executable. Add the following to it
This script will allow you to have an internal DNS server distinct from the Openwrt dnsmasq. I have mine setup to serve private DNS records and my domain IPs and also to be a fast caching server.
My Openwrt dnsmasq uses my internal server as its primary forwarder. So the rules above exclude redirection of any DNS queries from this host's IPs.
If you don't have an internal DNS server then leave the SERVERIPVx variables blank.
Here's another script for you. This one is my /etc/firewall.badip. It blocks a list of hosts with an ipset. These are typically lists I download of known SSH port probers. I also export them from my elasticsearch logs and update the badip file regularly.
WANIF=$(uci get network.wan.ifname)
RULE=input_wan_rule
[ -f /etc/badip ] && {
iptables -D ${RULE} -i ${WANIF} -m set --match-set badip src,dst -j DROP 2> /dev/null
ipset flush badip 2> /dev/null
ipset destroy badip 2> /dev/null
ipset create badip hash:net
for ip in $(cat /etc/badip); do
ipset add badip $ip
done
iptables -I ${RULE} 1 -i ${WANIF} -m set --match-set badip src,dst -j DROP
}
Yeah, redirect works too. It's really a special case of DNAT where you don't have to enter the interface address of the Openwrt br-lan interface. It's maybe a little more flexible in that it will accomodate an interface IP change unless you put in the uci call as per my second post.
This not getting loaded at boot happens to me as well. It's a bug where fw3 doesn't seem to call the user scripts on a fw3 start. I modified /etc/init.d/firewall to call fw3 restart directly after the call to fw3 start
//edit
Hmm...
But when a firewall restart is triggered via hotplug the rules are also not applied.
I wonder why this is the case?
Manual restart always loads the rules fine.
I tried to add the option reload '1' into /etc/config/firewall but it makes no difference.
//edit
nevermind option reload '1', seems to work fine
The adblock package has an option to force all DNS queries to the local resolver using iptables rules. It looks quite similar to this, but i wonder if there are any things which could be added to the adblock script. @hnyman, wdyt?