From 119be55165dc87e82eaeec53faba10e9b45d3a01 Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 22:08:12 -0400 Subject: [PATCH] Add modularized nextdns config w/IPv6 support --- nextdns/udm-files/on_boot.d/20-nextdns.sh | 79 +++++++++++++++++++++++ nextdns/udm-files/on_boot.sh | 25 ------- 2 files changed, 79 insertions(+), 25 deletions(-) create mode 100644 nextdns/udm-files/on_boot.d/20-nextdns.sh delete mode 100644 nextdns/udm-files/on_boot.sh diff --git a/nextdns/udm-files/on_boot.d/20-nextdns.sh b/nextdns/udm-files/on_boot.d/20-nextdns.sh new file mode 100644 index 0000000..be1be72 --- /dev/null +++ b/nextdns/udm-files/on_boot.d/20-nextdns.sh @@ -0,0 +1,79 @@ +#!/bin/sh + +## configuration variables: +VLAN=5 +IPV4_IP="10.0.5.3" +IPV4_GW="10.0.5.1/24" + +# if you want IPv6 support, generate a ULA, select an IP for nextdns and an +# appropriate gateway address on the same /64 network. Make sure that the +# 20-dns.conflist is updated appropriately. It will need the IP and GW added +# along with a ::/0 route. Also make sure that additional --dns options are +# passed to podman with your nextdns IPv6 DNS IPs when deploying the nextdns +# container for the first time. +IPV6_IP="" +IPV6_GW="" + +# set this to the interface(s) on which you want DNS TCP/UDP port 53 traffic +# re-routed through nextdns. separate interfaces with spaces. +#e.g. "br0" or "br0 br1" +FORCED_INTFC="" + +# uncomment after after the container has been deployed +#PODMAN_START=1 + +## nextdns network configuration and startup: + +mkdir -p /opt/cni +ln -s /mnt/data/podman/cni/ /opt/cni/bin +ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist + +# set VLAN bridge promiscuous +ip link set br${VLAN} promisc on + +# create macvlan bridge and add IPv4 IP +ip link add br${VLAN}.mac link br${VLAN} type macvlan mode bridge +ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute + +# (optional) add IPv6 IP to VLAN bridge macvlan bridge +if [ -n "${IPV6_GW}" ]; then + ip -6 addr add ${IPV6_GW} dev br${VLAN} + ip -6 addr add ${IPV6_GW} dev br${VLAN}.mac noprefixroute +fi + +# set macvlan bridge promiscuous and bring it up +ip link set br${VLAN}.mac promisc on +ip link set br${VLAN}.mac up + +# add IPv4 route to nextdns +ip route add ${IPV4_IP}/32 dev br${VLAN}.mac + +# (optional) add IPv6 route to nextdns +if [ -n "${IPV6_IP}" ]; then + ip -6 route add ${IPV6_IP}/128 dev br${VLAN}.mac +fi + +# Start the container +if [ "${PODMAN_START}" == "1" ]; then + podman start nextdns +fi + +# (optional) IPv4 force DNS (TCP/UDP 53) through nextdns +for intfc in ${FORCED_INTFC}; do + for proto in udp tcp; do + prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV4_IP} ! -d ${IPV4_IP} --dport 53 -j DNAT --to ${IPV4_IP}" + iptables -t nat -C ${prerouting_rule} || iptables -t nat -A ${prerouting_rule} + + postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV4_IP} -p ${proto} --dport 53 -j MASQUERADE" + iptables -t nat -C ${postrouting_rule} || iptables -t nat -A ${postrouting_rule} + + # (optional) IPv6 force DNS (TCP/UDP 53) through nextdns + if [ -n "${IPV6_IP}" ]; then + prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV6_IP} ! -d ${IPV6_IP} --dport 53 -j DNAT --to ${IPV6_IP}" + ip6tables -t nat -C ${prerouting_rule} || ip6tables -t nat -A ${prerouting_rule} + + postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV6_IP} -p ${proto} --dport 53 -j MASQUERADE" + ip6tables -t nat -C ${postrouting_rule} || ip6tables -t nat -A ${postrouting_rule} + fi + done +done diff --git a/nextdns/udm-files/on_boot.sh b/nextdns/udm-files/on_boot.sh deleted file mode 100644 index 64d1201..0000000 --- a/nextdns/udm-files/on_boot.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -mkdir -p /opt/cni -ln -s /mnt/data/podman/cni/ /opt/cni/bin -ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist - -# Assumes your Podman network made in the controller is on VLAN 5 -# Adjust the IP to match the address in your cni configuration -ip link set br5 promisc on - -ip link add br5.mac link br5 type macvlan mode bridge -ip addr add 10.0.5.1/24 dev br5.mac noprefixroute -ip link set br5.mac promisc on -ip link set br5.mac up - -ip route add 10.0.5.3/32 dev br5.mac - -# Remove the # on the line below when Docker container is deployed. -#podman start nextdns - -# optional if you dont want to force everything through nextdns. also add anymore bridges for other networks (br5, 10 etc), un comment if you want to use them -# iptables -t nat -C PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 -# iptables -t nat -C PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 -# iptables -t nat -C POSTROUTING -o br0 -d 10.0.5.3 -p tcp --dport 53 -j MASQUERADE || iptables -t nat -A POSTROUTING -o br0 -d 10.0.5.3 -p tcp --dport 53 -j MASQUERADE -# iptables -t nat -C POSTROUTING -o br0 -d 10.0.5.3 -p udp --dport 53 -j MASQUERADE || iptables -t nat -A POSTROUTING -o br0 -d 10.0.5.3 -p udp --dport 53 -j MASQUERADE