基于域名的动态路由
配置文件
文件位置:/etc/nftables.conf
nftables的主配置文件
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
ip saddr 172.17.200.0/24 oifname "eth0" counter masquerade
}
}
table inet dnsmasq {
set allowed_hosts {
type ipv4_addr
flags dynamic
timeout 1h
}
chain INPUT {
type filter hook input priority 0; policy accept;
ct state { established, related } accept
iifname "lo" accept
meta l4proto { icmp, ipv6-icmp } accept
iifname "eth1" udp dport 53 accept
iifname "eth1" tcp dport 53 accept
tcp dport 22 accept
counter drop
}
chain FORWARD {
type filter hook forward priority 0;
policy drop;
ct state { established, related } accept
iifname "eth1" oifname "eth0" ip daddr @allowed_hosts counter accept
}
}
文件位置:/etc/dnsmasq.d/router.conf
dnsmasq的主配置文件
interface=eth1
interface=lo
bind-interfaces
no-resolv
server=223.5.5.5
server=119.29.29.29
cache-size=1000
address=/#/0.0.0.0
文件位置:/etc/dnsmasq.d/allowed_domains.conf
dnsmasq的白名单
server=/baidu.com/223.5.5.5
nftset=/baidu.com/4#inet#dnsmasq#allowed_hosts
server=/a.shifen.com/223.5.5.5
nftset=/a.shifen.com/4#inet#dnsmasq#allowed_hosts
server=/ipinfo.io/223.5.5.5
nftset=/ipinfo.io/4#inet#dnsmasq#allowed_hosts
文件位置:/etc/systemd/system/dnsmasq.service.d/override.conf
dnsmasq的服务配置文件,解决dnsmasq写入nfset权限问题,若配置不当,还有可能导致dnsmasq无法启动。
[Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
常用命令
# 加载nftables规则
nft -f /etc/nftables.conf
# 重启nftables
systemctl restart nftables
# 重启dnsmasq
systemctl restart dnsmasq
# 使用dnsmasq验证域名解析
dig @127.0.0.1 baidu.com
# 查看dnsmasq解析结果是否被正确写入nfset
nft list set inet dnsmasq allowed_hosts
# 查看dnsmasq日志
journalctl -u dnsmasq --no-pager | tail -n 20
# 手工添加IP地址地看白名单,带过期时间
nft add element inet dnsmasq allowed_hosts { 8.8.8.8 timeout 1h}