1*01049ae6Schristos## Created a module to support the ipset that could add the domain's ip to a list easily. 2*01049ae6Schristos 3*01049ae6Schristos### Purposes: 4*01049ae6Schristos* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn. 5*01049ae6SchristosSo, I set up a transparent proxy to proxy the traffic which has been blocked only. 6*01049ae6SchristosAt the final step, I need to install a dns service which would work with ipset well to launch the system. 7*01049ae6SchristosI did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community. 8*01049ae6Schristos``` 9*01049ae6Schristos# unbound.conf 10*01049ae6Schristosserver: 11*01049ae6Schristos ... 12*01049ae6Schristos local-zone: "facebook.com" ipset 13*01049ae6Schristos local-zone: "twitter.com" ipset 14*01049ae6Schristos local-zone: "instagram.com" ipset 15*01049ae6Schristos more social website 16*01049ae6Schristos 17*01049ae6Schristosipset: 18*01049ae6Schristos name-v4: "gfwlist" 19*01049ae6Schristos``` 20*01049ae6Schristos``` 21*01049ae6Schristos# iptables 22*01049ae6Schristosiptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 23*01049ae6Schristosiptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 24*01049ae6Schristos``` 25*01049ae6Schristos 26*01049ae6Schristos* This patch could work with iptables rules to batch block the IPs. 27*01049ae6Schristos``` 28*01049ae6Schristos# unbound.conf 29*01049ae6Schristosserver: 30*01049ae6Schristos ... 31*01049ae6Schristos local-zone: "facebook.com" ipset 32*01049ae6Schristos local-zone: "twitter.com" ipset 33*01049ae6Schristos local-zone: "instagram.com" ipset 34*01049ae6Schristos more social website 35*01049ae6Schristos 36*01049ae6Schristosipset: 37*01049ae6Schristos name-v4: "blacklist" 38*01049ae6Schristos name-v6: "blacklist6" 39*01049ae6Schristos``` 40*01049ae6Schristos``` 41*01049ae6Schristos# iptables 42*01049ae6Schristosiptables -A INPUT -m set --set blacklist src -j DROP 43*01049ae6Schristosip6tables -A INPUT -m set --set blacklist6 src -j DROP 44*01049ae6Schristos``` 45*01049ae6Schristos 46*01049ae6Schristos### Notes: 47*01049ae6Schristos* To enable this module the root privileges is required. 48*01049ae6Schristos* Please create a set with ipset command first. eg. **ipset -N blacklist iphash** 49*01049ae6Schristos 50*01049ae6Schristos### How to use: 51*01049ae6Schristos``` 52*01049ae6Schristos./configure --enable-ipset 53*01049ae6Schristosmake && make install 54*01049ae6Schristos``` 55*01049ae6Schristos 56*01049ae6Schristos### Configuration: 57*01049ae6Schristos``` 58*01049ae6Schristos# unbound.conf 59*01049ae6Schristosserver: 60*01049ae6Schristos ... 61*01049ae6Schristos local-zone: "example.com" ipset 62*01049ae6Schristos 63*01049ae6Schristosipset: 64*01049ae6Schristos name-v4: "blacklist" 65*01049ae6Schristos``` 66