From 06edb7c818d5d6d6103963ad15e52125beefd451 Mon Sep 17 00:00:00 2001 From: chapeau Date: Tue, 30 Jul 2024 14:55:06 +0200 Subject: [PATCH] fix and clean dns --- dns.py | 22 ++++++++++++++++------ docker/entrypoint.sh | 2 -- load.py | 5 +++-- templates/rules.nft | 6 +++--- 4 files changed, 22 insertions(+), 13 deletions(-) diff --git a/dns.py b/dns.py index f9ae787..ce7f51f 100644 --- a/dns.py +++ b/dns.py @@ -1,4 +1,5 @@ import time +import socket from ipaddress import IPv4Address, IPv4Network from dnslib import DNSRecord,RCODE,QTYPE from dnslib.server import DNSServer,DNSHandler,BaseResolver,DNSLogger @@ -16,11 +17,20 @@ class ProxyResolver(BaseResolver): address = self.default_address port = self.default_port - subnets = [ (net["local_range"], net["local_translated_range"]) for net in self.config.data["network"].values() ] + subnets = [ + (name, net["local_range"], net["local_translated_range"], net["dns"]) + for name, net + in self.config.data["network"].items() + ] + qname = DNSLabel(request.q.qname) - for dns in self.config.dns_servers: - if dns["domain"] == str(qname)[-len(dns["domain"])-1:-1]: - address = dns["ip"] + for (net, sub, trans, dns) in subnets: + for serv in dns: + if serv["domain"] == str(qname)[-len(serv["domain"])-1:-1]: + if net == self.config.local_network: + address = dns["ip"] + else: + address = translate(serc["ip"], sub, trans) try: proxy_r = request.send(address, port, timeout=self.timeout) reply = DNSRecord.parse(proxy_r) @@ -29,8 +39,8 @@ class ProxyResolver(BaseResolver): reply.header.rcode = getattr(RCODE, 'NXDOMAIN') if address != self.default_address and address not in self.config.data["network"][self.config.local_network]["dns"].values(): for rr in reply.rr: - for (sub, trans) in subnets: - if IPv4Address(rr.rdata) in IPv4Network(sub): + for (net, sub, trans, dns) in subnets: + if address in dns.values() and netIPv4Address(rr.rdata) in IPv4Network(sub): rr.rdata.data = IPv4Address(translate(str(rr.rdata), sub, trans)).packed reply.set_header_qa() return reply diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index a373d72..45421c5 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,5 +1,3 @@ #!/bin/sh poetry run python load.py -wg-quick up ./wg-pn.conf -sleep infinity \ No newline at end of file diff --git a/load.py b/load.py index 5a9354c..09051c1 100644 --- a/load.py +++ b/load.py @@ -80,7 +80,7 @@ def load_wireguard(config): peer["endpoint"] = endpoint - peer["allowed_ips"] = config.data["network"][net]["local_translated_range"] + peer["allowed_ips"] = config.data["network"][net]["local_translated_range"] + ", " + config.data["network"][net]["wireguard_address"] untranslated_networks = config.data["network"][net].get("untranslated_networks", "") if untranslated_networks != "": peer["allowed_ips"] += ", " + untranslated_networks @@ -97,9 +97,10 @@ def load_wireguard(config): peers=peers )) -config = Config("./config/config.toml") +config = Config("/config/config.toml") load_firewall(config) load_wireguard(config) +run("wg-quick up ./wg-pn.conf") import dns dns.run(config, port=5353) diff --git a/templates/rules.nft b/templates/rules.nft index 9ff3f25..8c91d9b 100644 --- a/templates/rules.nft +++ b/templates/rules.nft @@ -26,12 +26,12 @@ table ip filter { chain postrouting { type nat hook postrouting priority 100; policy accept; - ip saddr @local_range ip daddr @remote_range snat to ip saddr map @ip_map_snat + ip daddr @remote_range snat to ip saddr map @ip_map_snat } chain prerouting { type nat hook prerouting priority 100; policy accept; - ip saddr @remote_range ip daddr @local_translated_range dnat to ip daddr map @ip_map_dnat + ip daddr @local_translated_range dnat to ip daddr map @ip_map_dnat } -} \ No newline at end of file +}