Using ipset to allow traffic to specific domains only on an interface that is not allowed WAN access

Installing and Using OpenWrt Network and Wireless Configuration
21

OK.. I made that change and restarted dnsmasq:

# tail /etc/config/dhcp
...
config ipset
	list name 'allowtraffic'
	list domain 'ipinfo.io'
	list domain 'pushx.reolink.com'
	option table_family 'inet'

After restarting dnsmasq:

# grep nftset /var/etc/dnsmasq.conf*
nftset=/ipinfo.io/pushx.reolink.com/4#inet#fw4#allowtraffic

Still unable to connect out though.

22

Do the nslookup and nft list set again?

23

Yes.

On the client:

% nslookup ipinfo.io
Server:		10.9.5.1
Address:	10.9.5.1#53

Non-authoritative answer:
Name:	ipinfo.io
Address: 34.117.186.192

On the router:

# nft list set inet fw4 allowtraffic
table inet fw4 {
	set allowtraffic {
		type ipv4_addr
	}
}
24

This is the IP/an IP of the device running dnsmasq, correct? There should be an entry if it’s working. Can you enable dnsmasq logging temporarily while you run the nslookup?

25

Yes, that is the router on the iot interface. I am not sure how to enable logging on dnsmasq. I added this line to /etc/dnsmacq.conf and restarted it but it doesn't create the file I defined.

log-facility=/tmp/dnsmasq.log
26

There should be a Log tab in LuCI DHCP and DNS to enable query logging.

1 Like
27

Yes, I found it. Here is what I see from logread -f upon running the nslookup command on the client:

Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 1 10.9.5.245/42679 query[A] ipinfo.io from 10.9.5.245
Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 1 10.9.5.245/42679 forwarded ipinfo.io to 1.1.1.1
Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 1 10.9.5.245/42679 forwarded ipinfo.io to 1.0.0.1
Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 1 10.9.5.245/42679 ipset add allowtraffic 34.117.186.192 ipinfo.io
Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 1 10.9.5.245/42679 nftset add 4 inet fw4 allowtraffic 34.117.186.192 ipinfo.io
Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 1 10.9.5.245/42679 reply ipinfo.io is 34.117.186.192
Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 2 10.9.5.245/41936 query[AAAA] ipinfo.io from 10.9.5.245
Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 2 10.9.5.245/41936 forwarded ipinfo.io to 1.1.1.1
Mon Apr  8 10:12:52 2024 daemon.info dnsmasq[1]: 2 10.9.5.245/41936 reply ipinfo.io is NODATA-IPv6

And magically, curl now working to connect to just the two domains specified. I will take a break then recap the changes to my config files in case someone else happens upon this thread.

I cannot thank you enough for guiding me through the setup @dave14305

2 Likes