PiHole for Friends and Family
-
@nashbrydges Haven't set the script to run via cron yet. It is still is printing some strings to stdout while I fully complete it, plan to add a log file and redirect the output to it.
I'll focuse on finishing it properly for Ubuntu so you can properly test it.
-
But if you want to test is manually, I think is is working properly.
# Starting from empty firewall ~/scripts/python$ sudo ufw status Status: active #Running script for the first time ~/scripts/python$ sudo python dns-to-ip-firewall-rules.py Adding to firewall mangolassi.it - 104.25.46.32 Adding to firewall google.com - 172.217.12.78 Adding to firewall theverge.com - 151.101.65.52 # Checking to see if rules were created. ~/scripts/python$ sudo ufw status Status: active To Action From -- ------ ---- 53 ALLOW 104.25.46.32 53 ALLOW 172.217.12.78 53 ALLOW 151.101.65.52 # Running script againg to check for ip changes. ~/scripts/python$ sudo python dns-to-ip-firewall-rules.py Same ip address nothing to do mangolassi.it - 104.25.46.32 Same ip address nothing to do google.com - 172.217.12.78 Adding theverge.com ip 151.101.129.52 - removing 151.101.65.52 theverge.com - 151.101.129.52 # Verifying ip changes are added to the firewall, and old ip are removed. ~/scripts/python$ sudo ufw status Status: active To Action From -- ------ ---- 53 ALLOW 104.25.46.32 53 ALLOW 172.217.12.78 53 ALLOW 151.101.129.52At least for dns and Ubuntu I think it does want @aaronstuder asked for originally. The idea of custom ports could be done as well, probably just adding a list of ports you wish to open for each domain.
-
@aaronstuder said in PiHole for Friends and Family:
@romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post
Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas
@aaronstuder Different ports per domain or just add a list of custom ports for all domains?
-
@romo said in PiHole for Friends and Family:
@aaronstuder said in PiHole for Friends and Family:
@romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post
Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas
@aaronstuder Different ports per domain or just add a list of custom ports for all domains?
@Romo Same ports all domains, but then then maybe allowing all ports since we are restricting by IP address already.
Seems like:
sudo ufw allow from 123.45.67.89Would work?
-
@aaronstuder said in PiHole for Friends and Family:
@romo said in PiHole for Friends and Family:
@aaronstuder said in PiHole for Friends and Family:
@romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post
Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas
@aaronstuder Different ports per domain or just add a list of custom ports for all domains?
@Romo Same ports all domains, but then then maybe allowing all ports since we are restricting by IP address already.
Seems like:
sudo ufw allow from 123.45.67.89Would work?
Well that's gonna be much easier.
Just finished a custom-ports branch, that gives you the ability to specify ports and protocol (tcp/udp)
# Starting from empty firewall ~/scripts/python$ sudo ufw status Status: active # Running script for the first time ~/scripts/python$ sudo python dns-to-ip-firewall-rules.py Adding to firewall mangolassi.it - 104.25.47.32 Adding to firewall google.com - 172.217.1.238 Adding to firewall example.com - 93.184.216.34 # Verifying ips with ports and protocols are added ~/scripts/python$ sudo ufw status Status: active To Action From -- ------ ---- 53/udp ALLOW 93.184.216.34 22 ALLOW 93.184.216.34 80/tcp ALLOW 93.184.216.34 53/udp ALLOW 172.217.1.238 22 ALLOW 172.217.1.238 80/tcp ALLOW 172.217.1.238 53 ALLOW 104.25.47.32 443/tcp ALLOW 104.25.47.32 -
Added the allow all ports for a domain, it is also in the custom-ports branch if you wanna test it and let me know if it works properly for you. I'll merge it to master if it works ok and start removing everything that prints to stdout.
# DOMAINS TO ADD # --- # arstechnica - all ports # theverge - all ports # mangolassi.it - 53/(udp-tcp), 443/tcp # example.com - 53/udp, 22/(udp-tcp), 80/tcp # google.com - 53/udp, 22/(udp-tcp), 80/tcp # --- ~/scripts/python/dns_to_ip_firewall_rules$ sudo python dns-to-ip-firewall-rules.py Adding to firewall theverge.com - 151.101.65.52 Adding to firewall arstechnica.com - 50.31.169.131 Adding to firewall google.com - 216.58.194.142 Adding to firewall example.com - 93.184.216.34 Adding to firewall mangolassi.it - 104.25.47.32 # Checking firewall rules ~/scripts/python/dns_to_ip_firewall_rules$ sudo ufw status Status: active To Action From -- ------ ---- Anywhere ALLOW 151.101.65.52 Anywhere ALLOW 50.31.169.131 53/udp ALLOW 216.58.194.142 22 ALLOW 216.58.194.142 80/tcp ALLOW 216.58.194.142 53/udp ALLOW 93.184.216.34 22 ALLOW 93.184.216.34 80/tcp ALLOW 93.184.216.34 53 ALLOW 104.25.47.32 443/tcp ALLOW 104.25.47.32 # Re running script ~/scripts/python/dns_to_ip_firewall_rules$ sudo python dns-to-ip-firewall-rules.py Adding theverge.com ip 151.101.129.52 - removing 151.101.65.52 theverge.com - 151.101.129.52 Same ip address nothing to do arstechnica.com - 50.31.169.131 Adding google.com ip 172.217.2.238 - removing 216.58.194.142 google.com - 172.217.2.238 Same ip address nothing to do example.com - 93.184.216.34 Adding mangolassi.it ip 104.25.46.32 - removing 104.25.47.32 mangolassi.it - 104.25.46.32 # Final Results ~/scripts/python/dns_to_ip_firewall_rules$ sudo ufw status Status: active To Action From -- ------ ---- Anywhere ALLOW 151.101.65.52 Anywhere ALLOW 50.31.169.131 53/udp ALLOW 93.184.216.34 22 ALLOW 93.184.216.34 80/tcp ALLOW 93.184.216.34 Anywhere ALLOW 151.101.129.52 53/udp ALLOW 172.217.2.238 22 ALLOW 172.217.2.238 80/tcp ALLOW 172.217.2.238 53 ALLOW 104.25.46.32 443/tcp ALLOW 104.25.46.32 -
@romo Thanks so much! Seems to be working to me
-
Merged branch to master, removed stoudout outputs and added ip changes to .log file
-
@romo Can you add centos 7 support? I would help be I don't know anything about python...
-
@aaronstuder I am working on it already, haven't had time to finish it yet due to other work. Will post as soon as it is ready.
-
I don't get the point of this. I mean it is a cool concept, but it is to much work.
-
@jaredbusch said in PiHole for Friends and Family:
I don't get the point of this. I mean it is a cool concept, but it is to much work.
What do you mean?
-
@jaredbusch said in PiHole for Friends and Family:
I don't get the point of this. I mean it is a cool concept, but it is to much work.
What's not to get? This is being used to limit who can access the cloud hosted Pi-hole server to only those whose DDNS domain (and ergo IP address) is listed. It makes the server DNS access non-public for those with dynamic IPs who are setup with a DDNS domain.
Do you have another recommendation for limiting server access for DNS services to a limited IP that is dynamically assigned by the ISP?
I agree it's been a lot of work for Romo who's kindly provided us with the script but in the absence of a better solution, this is extremely useful.
-
@nashbrydges said in PiHole for Friends and Family:
What's not to get? This is being used to limit who can access the cloud hosted Pi-hole server to only those whose DDNS domain (and ergo IP address) is listed. It makes the server DNS access non-public for those with dynamic IPs who are setup with a DDNS domain.
Do you have another recommendation for limiting server access for DNS services to a limited IP that is dynamically assigned by the ISP?
I agree it's been a lot of work for Romo who's kindly provided us with the script but in the absence of a better solution, this is extremely useful.
I am going to be using it to give my friends and family access to a bunch of services I run, DNS, Nextlcloud, etc. That's why I had @Romo have it allow all connections from one IP
-
The point is there is no point to the entire DNS for friends and family thing.
-
@jaredbusch said in PiHole for Friends and Family:
The point is there is no point to the entire DNS for friends and family thing.
This is not entirely true. If you're not an ass like JB, and you take care of your family's and friend's computers, this could save you a lot of headaches by preventing those family and friends from getting some infections/ads, etc. Of course, I am an like like JB I don't want to support more than I have to.. so I wouldn't bother outside my own home
-
Finally had some time to finish working on the Fedora based rules, I used firewall-cmds rich-rules in order to work with the default zone, I think it is the best way to handle it but I am open to suggestions.
Tested the script in Fedora Server 26, but I believe it should work properly on CentOS 7 and its default python version.
# Starting default fw config [root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: #Fedora 26 uses by default Python 3 so using it to run the script [root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py # Script is set to reload the firewall to make the rules permanent, checking the new rules [root@localhost dns_to_ip_firewall_rules]# firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="151.101.1.52/32" accept rule family="ipv4" source address="50.31.169.131/32" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept # Rerunning script to check for new ips [root@localhost dns_to_ip_firewall_rules]$ python3 dns-to-ip-firewall-rules.py # Checking to see the new ip correctly set in the firewall [root@localhost dns_to_ip_firewall_rules]$ firewall-cmd --list-all FedoraServer (active) target: default icmp-block-inversion: no interfaces: ens3 sources: services: ssh dhcpv6-client cockpit ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="151.101.1.52/32" accept rule family="ipv4" source address="50.31.169.131/32" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="53" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="443" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="53" protocol="udp" accept rule family="ipv4" source address="93.184.216.34/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="udp" accept rule family="ipv4" source address="216.58.193.206/32" port port="22" protocol="udp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="tcp" accept rule family="ipv4" source address="216.58.193.206/32" port port="80" protocol="tcp" accept rule family="ipv4" source address="93.184.216.34/32" port port="22" protocol="tcp" accept rule family="ipv4" source address="104.25.47.32/32" port port="53" protocol="udp" accept rule family="ipv4" source address="151.101.65.52/32" acceptIt appears to be working, haven't tested it too much but the configs seem to show what they must.
Current version tested in on branch firewalld-rules if any one else wants to test it.
-
By the way is there a way in firewall-cmd to clear the rules in one pass, basically the equivalent of ubuntus
ufw reset? -
@romo not sure. Maybe @scottalanmiller knows?
-
I haven't tried it myself but this command Load zone default settings or report NO_DEFAULTS error.
I got it from the firewall-cmd man pagefirewall-cmd --permanent --load-zone-defaults=zone
