Created
February 22, 2015 00:19
-
-
Save terryburton/251ce9822fa0bc555683 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/perl -Tw | |
# build_iptables.pl domain_list [ domain_list... ] | |
# | |
# Create a firewall ruleset in iptables-restore format to create a layer 4 DNS | |
# proxy using NAT that filters domains from given lists. | |
# In this example: | |
# - 123.123.123.158 is the proxy address. | |
# - 123.123.123.{152,154,156} are the real DNS resolvers. | |
# Copyright (c) 2009 Terry Burton | |
# | |
# http://www.terryburton.co.uk | |
# | |
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY | |
# KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO | |
# THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A | |
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL | |
# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, | |
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF | |
# CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | |
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS | |
# IN THE SOFTWARE. | |
use strict; | |
die "Usage: $0 domain_list [ domain_list... ]" unless $#ARGV>=0; | |
my @doms=(); | |
foreach my $filename (@ARGV) { | |
open(FILE,"<$filename") or die("Unable to open file"); | |
@_=<FILE>; | |
close(FILE); | |
map {chomp} @_; | |
push @doms,@_; | |
} | |
print <<'EOF'; | |
*mangle | |
:PREROUTING ACCEPT [0:0] | |
-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 0 -m state --state new -j CONNMARK --set-mark 1 | |
-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 1 -m state --state new -j CONNMARK --set-mark 2 | |
-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 2 -m state --state new -j CONNMARK --set-mark 3 | |
-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53 -m statistic --mode random --probability 0.333333 -m state --state new -j CONNMARK --set-mark 1 | |
-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53 -m statistic --mode random --probability 0.5 -m state --state new -j CONNMARK --set-mark 2 | |
-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53 -m state --state new -j CONNMARK --set-mark 3 | |
COMMIT | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
-A PREROUTING -m connmark --mark 1 -j DNAT --to-destination 123.123.123.152 | |
-A PREROUTING -m connmark --mark 2 -j DNAT --to-destination 123.123.123.154 | |
-A PREROUTING -m connmark --mark 3 -j DNAT --to-destination 123.123.123.156 | |
-A POSTROUTING -m connmark --mark 1 -j SNAT --to-destination 123.123.123.158 | |
-A POSTROUTING -m connmark --mark 2 -j SNAT --to-destination 123.123.123.158 | |
-A POSTROUTING -m connmark --mark 3 -j SNAT --to-destination 123.123.123.158 | |
COMMIT | |
*filter | |
:LOGDROP - [0:0] | |
-A LOGDROP -m limit --limit 1/second --limit-burst 100 -j LOG | |
-A LOGDROP -j DROP | |
:DNSCHECK - [0:0] | |
:FORWARD ACCEPT [0:0] | |
-A FORWARD -s 123.123.0.0/16 -p udp --dport 53 -m u32 --u32 "0>>22&0x3C@8>>15&0x01=0" -j DNSCHECK | |
-A FORWARD -s 123.123.0.0/16 -p udp --dport 53 -j ACCEPT | |
-A FORWARD -s 123.123.0.0/16 -p tcp --dport 53 -j ACCEPT | |
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
-A FORWARD -j LOGDROP | |
EOF | |
my $last_prefix=''; | |
foreach my $dom (sort @doms) { | |
(my $prefix,my $suffix)=$dom=~/^(..)(.*)$/; | |
if ($prefix ne $last_prefix) { | |
$last_prefix=$prefix; | |
print ":DNSCHECK$prefix - [0:0]\n"; | |
if ($prefix=~/^.\./) { | |
my $hex=sprintf("01%02lx", ord substr($prefix,0,1)); | |
print "-A DNSCHECK -m u32 --u32 \"0>>22&0x3C\@18&0xffff=0x$hex\" -j DNSCHECK$prefix\n"; | |
} else { | |
(my $hex=$prefix)=~s/(.)/sprintf("%02lx", ord $1)/eg; | |
print "-A DNSCHECK -m u32 --u32 \"0>>22&0x3C\@19&0xffff=0x$hex\" -j DNSCHECK$prefix\n"; | |
} | |
} | |
my $enc=''; my $offset=40; | |
foreach (split /\./, $dom) { | |
$enc.='|'.(sprintf '%02x', length)."|$_"; | |
$offset+=(length $_)+1; | |
} | |
print "-A DNSCHECK$prefix -m string --from 40 --to $offset --hex-string \"$enc|00|\" --algo bm -j LOGDROP\n"; | |
} | |
print <<'EOF' | |
COMMIT | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment