firewall rules via user scripts (services-start, nat-start) not working

[peiskos]

Hi all,

Apologies if this is straight-forward; I'm not very technically savvy in this area, but this forum seemed like the right place to post a question about it.

I use a DNS filter on my home network router (Asus RT-N66U, running Merlin 380.70). I'm want to prevent users from using 3rd party DNS servers (like Google's), so I'm trying to follow this article:

https://help.dnsfilter.com/hc/en-us/articles/1500008113261-Preventing-Circumvention

I've tried implementing this via the services-start user script and the nat-start user script, but neither seem to work (if I set my DNS to Google's I can still bypass the DNS filter).
Here's what I've got in each script, both of which are stored in /jffs/scripts.
services-start

#!/bin/sh
touch /tmp/000services-start
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 103.247.36.36
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 103.247.36.36

nat-start

#!/bin/sh
touch /tmp/000nat-start
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 103.247.36.36:53
    iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 103.247.37.37:53
touch /tmp/000nat-stop

The touch commands run, but the iptables commands don't seem to do what I'd like them to (force all users to use DNS filter DNS servers).
I've enabled JFFS custom scripts and configs on my router's page, and I've given rights to my scripts via

chmod a+rx /jffs/scripts/*

Thanks in advance for any help or suggestions!

 

[ColinTaylor]

Why aren't you using just the router's built-in DNSFilter function? It creates exactly the same iptables rules that you are trying to do.

 

[peiskos]

I don't believe my router has that option. Here's a screenshot of the LAN page (notice there's no DNSFilter tab):

 

[ColinTaylor]

I believe it's under Parental Controls (it was moved in later firmware versions).

 

[L&LD]

No, your router doesn't have that option with that wildly out-of-date firmware.

You should consider using your RT-N66U with @john9527's firmware. I can't remember if it has DNSFilter in it, but it will be vastly more secure.

 

[ColinTaylor]

No, your router doesn't have that option with that wildly out-of-date firmware.

Yes it does. RMerlin added it in 2014.

 

[peiskos]

Apparently it does have the option, thanks for pointing out its location Colin.
@L&LD it's the latest compatible firmware for my router according to the asus merlin page.

So I've been twiddling with the DNSFilter options, but I can't get it to work or do anything. Am I missing something here? (attached screenshots of my configuration) Sorry again if I'm missing something obvious. My DNS Filter (the service, not the router setting) works fine if my router's users don't specify their own DNS, but as soon as I set my macbook to use Google's public DNS I can bypass the filter.

 

[ColinTaylor]

This DNSFilter technique only works with standard DNS requests (port 53). If your macbook is using DoH or DoT it will bypass this type of filtering.

Apple adds support for encrypted DNS (DoH and DoT)

Apple said this week that iOS 14 and macOS 11 will support the DNS-over-HTTPS and DNS-over-TLS protocols.

www.zdnet.com

P.S. On LAN - DHCP Server the DNS Server 1 & 2 fields should be blank.

 

[L&LD]

@john9527's fork of RMerlin's firmware is much more up-to-date, and with more features, fixes, and possibilities (scripts) too.

Release - [Fork] Asuswrt-Merlin 374 LTS release 52E3 | SmallNetBuilder Forums (snbforums.com)

 

[peiskos]

Thanks @ColinTaylor; you were right. Disabling "Use secure DNS" on Chrome made the router's DNSFilter settings work.

Now I'd like to block as many DoH providers as I can. I found this useful publicly-maintained list:

https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt

However, doing this using the "Route" option on my router is not feasible because it only accepts a limited number of IP addresses (attached an example screenshot).

Are there any other ways to get my firewall to block the IP addresses listed at the page above?

 

[ColinTaylor]

I think you might be able to use Diversion (ad-blocking) with a DoH block list. Check the Diversion thread.

To block large list of IP addresses you'd need to create an ipset script. https://github.com/RMerl/asuswrt-merlin.ng/wiki/Using-ipset

 

[peiskos]

Figured out how to block a large list of DOH providers using a firewall-start script (without diversion or an ipset script). The template of the script is:

#!/bin/sh
touch /tmp/000firewall-start
# Repeat for each DOH provider
iptables -I FORWARD -s x.x.x.x -j DROP
iptables -I FORWARD -d x.x.x.x -j DROP
touch /tmp/000firewall-stop

I downloaded this list of DOH providers:

https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt

And had a python script generate the firewall-start script, where 'iplist.txt' is the downloaded text list:

to_write = ['#!/bin/sh', '\n',
            'touch /tmp/000firewall-start', '\n']

with open('iplist.txt', 'r') as iplist:
    for line in iplist:
        if line[0] not in ['#', '\n', ' ']:
            str = line.replace('\n', '')
            command_1 = f'iptables -I FORWARD -s {str} -j DROP'
            command_2 = f'iptables -I FORWARD -d {str} -j DROP'
            to_write.extend([command_1, '\n', command_2, '\n'])
to_write.append('touch /tmp/000firewall-stop')

with open('firewall-start', 'w') as script:
    script.writelines(to_write)

Then copied the firewall-start script to my router via scp and rebooted.

scp /local/path/to/firewall/script/firewall-start router_name@192.168.1.1:/jffs/scripts/firewall-start

It's working with no issues now. Hope this helps anyone else trying to do the same.

 

[eibgrad]

@peiskos

FYI. That list of DOH providers doesn't make for a very efficient firewall. For example, it enumerates every IP from 45.90.28.1 thru 45.90.28.254, and 45.90.30.1 thru 45.90.30.254, for NextDNS, when it would be far more efficient to simply specify 45.90.28.0/24 and 45.90.30.0/24, respectively. IOW, convert them to class C networks.

Also, there's no need to be checking all those IPs for each and every packet. Once a NEW connection is established (which means it passed muster), there's no further need to check it. It would be far better to place the list of IPs in their own user-defined chain, then only check the chain on new TCP connections.

iptables -N block_doh
iptables -A block_doh -d 168.235.81.167 -j REJECT
iptables -A block_doh -d 176.56.236.175 -j REJECT
...
iptables -A block_doh -j RETURN
iptables -I FORWARD -p tcp -m state --state NEW -j block_doh