1*0eefd307SCy Schubert## Created a module to support the ipset that could add the domain's ip to a list easily. 2*0eefd307SCy Schubert 3*0eefd307SCy Schubert### Purposes: 4*0eefd307SCy Schubert* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn. 5*0eefd307SCy SchubertSo, I set up a transparent proxy to proxy the traffic which has been blocked only. 6*0eefd307SCy SchubertAt the final step, I need to install a dns service which would work with ipset well to launch the system. 7*0eefd307SCy SchubertI did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community. 8*0eefd307SCy Schubert``` 9*0eefd307SCy Schubert# unbound.conf 10*0eefd307SCy Schubertserver: 11*0eefd307SCy Schubert ... 12*0eefd307SCy Schubert local-zone: "facebook.com" ipset 13*0eefd307SCy Schubert local-zone: "twitter.com" ipset 14*0eefd307SCy Schubert local-zone: "instagram.com" ipset 15*0eefd307SCy Schubert more social website 16*0eefd307SCy Schubert 17*0eefd307SCy Schubertipset: 18*0eefd307SCy Schubert name-v4: "gfwlist" 19*0eefd307SCy Schubert``` 20*0eefd307SCy Schubert``` 21*0eefd307SCy Schubert# iptables 22*0eefd307SCy Schubertiptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 23*0eefd307SCy Schubertiptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 24*0eefd307SCy Schubert``` 25*0eefd307SCy Schubert 26*0eefd307SCy Schubert* This patch could work with iptables rules to batch block the IPs. 27*0eefd307SCy Schubert``` 28*0eefd307SCy Schubert# unbound.conf 29*0eefd307SCy Schubertserver: 30*0eefd307SCy Schubert ... 31*0eefd307SCy Schubert local-zone: "facebook.com" ipset 32*0eefd307SCy Schubert local-zone: "twitter.com" ipset 33*0eefd307SCy Schubert local-zone: "instagram.com" ipset 34*0eefd307SCy Schubert more social website 35*0eefd307SCy Schubert 36*0eefd307SCy Schubertipset: 37*0eefd307SCy Schubert name-v4: "blacklist" 38*0eefd307SCy Schubert name-v6: "blacklist6" 39*0eefd307SCy Schubert``` 40*0eefd307SCy Schubert``` 41*0eefd307SCy Schubert# iptables 42*0eefd307SCy Schubertiptables -A INPUT -m set --set blacklist src -j DROP 43*0eefd307SCy Schubertip6tables -A INPUT -m set --set blacklist6 src -j DROP 44*0eefd307SCy Schubert``` 45*0eefd307SCy Schubert 46*0eefd307SCy Schubert### Notes: 47*0eefd307SCy Schubert* To enable this module the root privileges is required. 48*0eefd307SCy Schubert* Please create a set with ipset command first. eg. **ipset -N blacklist iphash** 49*0eefd307SCy Schubert 50*0eefd307SCy Schubert### How to use: 51*0eefd307SCy Schubert``` 52*0eefd307SCy Schubert./configure --enable-ipset 53*0eefd307SCy Schubertmake && make install 54*0eefd307SCy Schubert``` 55*0eefd307SCy Schubert 56*0eefd307SCy Schubert### Configuration: 57*0eefd307SCy Schubert``` 58*0eefd307SCy Schubert# unbound.conf 59*0eefd307SCy Schubertserver: 60*0eefd307SCy Schubert ... 61*0eefd307SCy Schubert local-zone: "example.com" ipset 62*0eefd307SCy Schubert 63*0eefd307SCy Schubertipset: 64*0eefd307SCy Schubert name-v4: "blacklist" 65*0eefd307SCy Schubert``` 66