Assuming a setup with bridged LAN and WAN interfaces. Install the required packages. Enable bridge firewall intercepting DNS queries and filtering transit traffic from eth0 to eth1.
# Install packages
opkg update
opkg install kmod-nft-bridge
# Configure firewall
cat << "EOF" > /etc/nftables.d/bridge.sh
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_device NET_DEV "${NET_IF}"
NET_MAC="$(ubus -S call network.device status \
"{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")"
nft add table bridge filter
nft flush table bridge filter
nft add chain bridge filter prerouting \
{ type filter hook prerouting priority dstnat\; }
nft add rule bridge filter prerouting meta \
l4proto { tcp, udp } th dport 53 pkttype set host \
ether daddr set "${NET_MAC}" comment "Intercept-DNS"
nft add chain bridge filter forward \
{ type filter hook forward priority filter\; }
nft add rule bridge filter forward iifname "eth0" \
oifname "eth1" drop comment "Deny-eth0-eth1"
EOF
uci -q delete firewall.bridge
uci set firewall.bridge="include"
uci set firewall.bridge.path="/etc/nftables.d/bridge.sh"
uci commit firewall
service firewall restart
Set up DNS hijacking and DNS filtering.
If you have your firewall disabled and have kmod-nft-bridge installed, then you can do this easily. This will classify HTTP(S) traffic as AF23. Not practical, but a start.
Save the following to /etc/nftables.conf
flush ruleset
table bridge dscp {
chain dscp_set_af23 {
ip dscp set af23
ip6 dscp set af23
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
meta l4proto tcp th dport {80, 443} jump dscp_set_af23
}
}
Run the following code. Add it to /etc/rc.local to make it persist.
nft -f /etc/nftables.conf
Use nslookup, ping, ping6 on LAN clients to verify the firewall configuration.
Collect and analyze the following information.
# Log and status
service firewall restart
# Runtime configuration
lsmod | grep -e bridge
nft list ruleset
# Persistent configuration
uci show firewall