build_iptables.pl

## build_iptables.pl
#!/usr/bin/perl -Tw

# build_iptables.pl domain_list [ domain_list... ]
#
# Create a firewall ruleset in iptables-restore format to create a layer 4 DNS
# proxy using NAT that filters domains from given lists.

# In this example:
# - 123.123.123.158 is the proxy address.
# - 123.123.123.{152,154,156} are the real DNS resolvers.

# Copyright (c) 2009 Terry Burton
#
# http://www.terryburton.co.uk
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
# KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
# THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
# CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.

use strict;

die "Usage: $0 domain_list [ domain_list... ]" unless $#ARGV>=0;

my @doms=();
foreach my $filename (@ARGV) {
  open(FILE,"<$filename") or die("Unable to open file");
  @_=<FILE>;
  close(FILE);
  map {chomp} @_;
  push @doms,@_;
}

print <<'EOF';
*mangle
:PREROUTING ACCEPT [0:0]
-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 0      -m state --state new -j CONNMARK --set-mark 1
-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 1      -m state --state new -j CONNMARK --set-mark 2
-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 2      -m state --state new -j CONNMARK --set-mark 3
-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53 -m statistic --mode random --probability 0.333333 -m state --state new -j CONNMARK --set-mark 1
-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53 -m statistic --mode random --probability 0.5      -m state --state new -j CONNMARK --set-mark 2
-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53                                                   -m state --state new -j CONNMARK --set-mark 3
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING  -m connmark --mark 1 -j DNAT --to-destination 123.123.123.152
-A PREROUTING  -m connmark --mark 2 -j DNAT --to-destination 123.123.123.154
-A PREROUTING  -m connmark --mark 3 -j DNAT --to-destination 123.123.123.156
-A POSTROUTING -m connmark --mark 1 -j SNAT --to-destination 123.123.123.158
-A POSTROUTING -m connmark --mark 2 -j SNAT --to-destination 123.123.123.158
-A POSTROUTING -m connmark --mark 3 -j SNAT --to-destination 123.123.123.158
COMMIT

*filter
:LOGDROP - [0:0]
-A LOGDROP -m limit --limit 1/second --limit-burst 100 -j LOG
-A LOGDROP -j DROP

:DNSCHECK - [0:0]

:FORWARD ACCEPT [0:0]
-A FORWARD -s 123.123.0.0/16 -p udp --dport 53 -m u32 --u32 "0>>22&0x3C@8>>15&0x01=0" -j DNSCHECK
-A FORWARD -s 123.123.0.0/16 -p udp --dport 53 -j ACCEPT
-A FORWARD -s 123.123.0.0/16 -p tcp --dport 53 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j LOGDROP

EOF

my $last_prefix='';
foreach my $dom (sort @doms) {
    (my $prefix,my $suffix)=$dom=~/^(..)(.*)$/;
    if ($prefix ne $last_prefix) {
      $last_prefix=$prefix;
      print ":DNSCHECK$prefix - [0:0]\n";
      if ($prefix=~/^.\./) {
        my $hex=sprintf("01%02lx", ord substr($prefix,0,1));
        print "-A DNSCHECK -m u32 --u32 \"0>>22&0x3C\@18&0xffff=0x$hex\" -j DNSCHECK$prefix\n";
      } else {
        (my $hex=$prefix)=~s/(.)/sprintf("%02lx", ord $1)/eg;
        print "-A DNSCHECK -m u32 --u32 \"0>>22&0x3C\@19&0xffff=0x$hex\" -j DNSCHECK$prefix\n";
      }
    }
    my $enc=''; my $offset=40;
    foreach (split /\./, $dom) {
      $enc.='|'.(sprintf '%02x', length)."|$_";
      $offset+=(length $_)+1;
    }
    print "-A DNSCHECK$prefix -m string --from 40 --to $offset --hex-string \"$enc|00|\" --algo bm -j LOGDROP\n";
}

print <<'EOF'
COMMIT
EOF
	#!/usr/bin/perl -Tw

	# build_iptables.pl domain_list [ domain_list... ]
	#
	# Create a firewall ruleset in iptables-restore format to create a layer 4 DNS
	# proxy using NAT that filters domains from given lists.

	# In this example:
	# - 123.123.123.158 is the proxy address.
	# - 123.123.123.{152,154,156} are the real DNS resolvers.

	# Copyright (c) 2009 Terry Burton
	#
	# http://www.terryburton.co.uk
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
	# KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
	# THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
	# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
	# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
	# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
	# CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
	# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
	# IN THE SOFTWARE.

	use strict;

	die "Usage: $0 domain_list [ domain_list... ]" unless $#ARGV>=0;

	my @doms=();
	foreach my $filename (@ARGV) {
	open(FILE,"<$filename") or die("Unable to open file");
	@_=<FILE>;
	close(FILE);
	map {chomp} @_;
	push @doms,@_;
	}

	print <<'EOF';
	*mangle
	:PREROUTING ACCEPT [0:0]
	-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 0 -m state --state new -j CONNMARK --set-mark 1
	-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 1 -m state --state new -j CONNMARK --set-mark 2
	-A PREROUTING -d 123.123.123.158 -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 2 -m state --state new -j CONNMARK --set-mark 3
	-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53 -m statistic --mode random --probability 0.333333 -m state --state new -j CONNMARK --set-mark 1
	-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53 -m statistic --mode random --probability 0.5 -m state --state new -j CONNMARK --set-mark 2
	-A PREROUTING -d 123.123.123.158 -p tcp -m tcp --dport 53 -m state --state new -j CONNMARK --set-mark 3
	COMMIT

	*nat
	:PREROUTING ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	-A PREROUTING -m connmark --mark 1 -j DNAT --to-destination 123.123.123.152
	-A PREROUTING -m connmark --mark 2 -j DNAT --to-destination 123.123.123.154
	-A PREROUTING -m connmark --mark 3 -j DNAT --to-destination 123.123.123.156
	-A POSTROUTING -m connmark --mark 1 -j SNAT --to-destination 123.123.123.158
	-A POSTROUTING -m connmark --mark 2 -j SNAT --to-destination 123.123.123.158
	-A POSTROUTING -m connmark --mark 3 -j SNAT --to-destination 123.123.123.158
	COMMIT

	*filter
	:LOGDROP - [0:0]
	-A LOGDROP -m limit --limit 1/second --limit-burst 100 -j LOG
	-A LOGDROP -j DROP

	:DNSCHECK - [0:0]

	:FORWARD ACCEPT [0:0]
	-A FORWARD -s 123.123.0.0/16 -p udp --dport 53 -m u32 --u32 "0>>22&0x3C@8>>15&0x01=0" -j DNSCHECK
	-A FORWARD -s 123.123.0.0/16 -p udp --dport 53 -j ACCEPT
	-A FORWARD -s 123.123.0.0/16 -p tcp --dport 53 -j ACCEPT
	-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	-A FORWARD -j LOGDROP

	EOF

	my $last_prefix='';
	foreach my $dom (sort @doms) {
	(my $prefix,my $suffix)=$dom=~/^(..)(.*)$/;
	if ($prefix ne $last_prefix) {
	$last_prefix=$prefix;
	print ":DNSCHECK$prefix - [0:0]\n";
	if ($prefix=~/^.\./) {
	my $hex=sprintf("01%02lx", ord substr($prefix,0,1));
	print "-A DNSCHECK -m u32 --u32 \"0>>22&0x3C\@18&0xffff=0x$hex\" -j DNSCHECK$prefix\n";
	} else {
	(my $hex=$prefix)=~s/(.)/sprintf("%02lx", ord $1)/eg;
	print "-A DNSCHECK -m u32 --u32 \"0>>22&0x3C\@19&0xffff=0x$hex\" -j DNSCHECK$prefix\n";
	}
	}
	my $enc=''; my $offset=40;
	foreach (split /\./, $dom) {
	$enc.='\|'.(sprintf '%02x', length)."\|$_";
	$offset+=(length $_)+1;
	}
	print "-A DNSCHECK$prefix -m string --from 40 --to $offset --hex-string \"$enc\|00\|\" --algo bm -j LOGDROP\n";
	}

	print <<'EOF'
	COMMIT
	EOF