Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provider traffic policies by DNS names #1597

Closed
6 tasks done
Waldz opened this issue Jan 30, 2020 · 2 comments · Fixed by #1754
Closed
6 tasks done

Provider traffic policies by DNS names #1597

Waldz opened this issue Jan 30, 2020 · 2 comments · Fixed by #1754
Assignees
@Waldz
Labels
component:node

Comments

@Waldz
Copy link
Member

Waldz commented Jan 30, 2020
edited

As as a provider I want to share my network
While blocking everything and whitelisting domains/services which I allow
While allowing everything and blacklisting domains/services which I block

Tasks:

Resources:

  1. Create custom chain, which can be turned on/off:
nslookup ipinfo.io

iptables -S PROVIDER_DNS_FIREWALL

iptables -N PROVIDER_DNS_FIREWALL
iptables -A PROVIDER_DNS_FIREWALL -i tun0 -d 216.239.32.21 -j ACCEPT
iptables -A PROVIDER_DNS_FIREWALL -i tun0 -d 216.239.34.21 -j ACCEPT
iptables -A PROVIDER_DNS_FIREWALL -i tun0 -d 216.239.36.21 -j ACCEPT
iptables -A PROVIDER_DNS_FIREWALL -i tun0 -d 216.239.38.21 -j ACCEPT
iptables -A PROVIDER_DNS_FIREWALL -i tun0 -j DROP

iptables -I INPUT -i tun0 -j PROVIDER_DNS_FIREWALL
  1. Create set of IPs which are allowed:
nslookup ipinfo.io

ipset create dns-firewall hash:ip --netmask 24 --hashsize 64
ipset add dns-firewall 216.239.32.21
ipset add dns-firewall 216.239.34.21
ipset add dns-firewall 216.239.36.21
ipset add dns-firewall 216.239.38.21

ipset list dns-firewall
  1. Block by this dynamic set of IPs:
iptables -A PROVIDER_DNS_FIREWALL -m set --match-set dns-firewall dst -j ACCEPT
iptables -A PROVIDER_DNS_FIREWALL -i tun0 -j DROP

iptables -I INPUT -i tun0 -j PROVIDER_DNS_FIREWALL
  1. Allow all Mysterium services to custom chain
@Waldz
Copy link
Member Author

Waldz commented Jan 30, 2020 

# On provider
tcpdump -i tun0 -n

# On consumer
curl http://ipinfo.io/
16:16:15.658389 IP 10.8.0.3.37818 > any-in-2415.1e100.net.80: Flags [S], seq 4127944465, win 29200, options [mss 1358,sackOK,TS val 1983318 ecr 0,nop,wscale 7], length 0
16:16:15.669859 IP any-in-2415.1e100.net.80 > 10.8.0.3.37818: Flags [S.], seq 452878380, ack 4127944466, win 65535, options [mss 1460,wscale 2,eol], length 0

@Waldz Waldz added this to Icebox in Engineering via automation Jan 30, 2020
@Waldz Waldz moved this from Icebox to In progress in Engineering Jan 30, 2020
@Waldz
Copy link
Member Author

Waldz commented Jan 30, 2020

Works! Researched commands:

nslookup ipinfo.io

ipset create dns-firewall hash:ip --netmask 24 --hashsize 64
ipset add dns-firewall 216.239.32.21
ipset add dns-firewall 216.239.34.21
ipset add dns-firewall 216.239.36.21
ipset add dns-firewall 216.239.38.21
ipset list dns-firewall

iptables -N PROVIDER_DNS_FIREWALL
iptables -A PROVIDER_DNS_FIREWALL -m set --match-set dns-firewall dst -j ACCEPT
iptables -A PROVIDER_DNS_FIREWALL -j DROP

iptables -I FORWARD -s 10.8.0.1/24 -j PROVIDER_DNS_FIREWALL

@Waldz Waldz assigned Waldz and unassigned soffokl Feb 3, 2020
This was referenced Feb 4, 2020
Merged
Merged
@Waldz Waldz changed the title Spike traffic blocking by DNS names Provider traffic policies by DNS names Feb 5, 2020
This was referenced Feb 12, 2020
Closed
Merged
Merged
@chompomonim chompomonim removed this from In progress in Engineering Feb 20, 2020
@Waldz Waldz mentioned this issue Feb 20, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Waldz Waldz

Labels
component:node
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable traffic blocking while starting Wireguard service mysteriumnetwork/node
2 participants
@Waldz @soffokl