1*c981f76fSsthen## Created a module to support the ipset that could add the domain's ip to a list easily. 2*c981f76fSsthen 3*c981f76fSsthen### Purposes: 4*c981f76fSsthen* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn. 5*c981f76fSsthenSo, I set up a transparent proxy to proxy the traffic which has been blocked only. 6*c981f76fSsthenAt the final step, I need to install a dns service which would work with ipset well to launch the system. 7*c981f76fSsthenI did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community. 8*c981f76fSsthen``` 9*c981f76fSsthen# unbound.conf 10*c981f76fSsthenserver: 11*c981f76fSsthen ... 12*c981f76fSsthen local-zone: "facebook.com" ipset 13*c981f76fSsthen local-zone: "twitter.com" ipset 14*c981f76fSsthen local-zone: "instagram.com" ipset 15*c981f76fSsthen more social website 16*c981f76fSsthen 17*c981f76fSsthenipset: 18*c981f76fSsthen name-v4: "gfwlist" 19*c981f76fSsthen``` 20*c981f76fSsthen``` 21*c981f76fSsthen# iptables 22*c981f76fSstheniptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 23*c981f76fSstheniptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 24*c981f76fSsthen``` 25*c981f76fSsthen 26*c981f76fSsthen* This patch could work with iptables rules to batch block the IPs. 27*c981f76fSsthen``` 28*c981f76fSsthen# unbound.conf 29*c981f76fSsthenserver: 30*c981f76fSsthen ... 31*c981f76fSsthen local-zone: "facebook.com" ipset 32*c981f76fSsthen local-zone: "twitter.com" ipset 33*c981f76fSsthen local-zone: "instagram.com" ipset 34*c981f76fSsthen more social website 35*c981f76fSsthen 36*c981f76fSsthenipset: 37*c981f76fSsthen name-v4: "blacklist" 38*c981f76fSsthen name-v6: "blacklist6" 39*c981f76fSsthen``` 40*c981f76fSsthen``` 41*c981f76fSsthen# iptables 42*c981f76fSstheniptables -A INPUT -m set --set blacklist src -j DROP 43*c981f76fSsthenip6tables -A INPUT -m set --set blacklist6 src -j DROP 44*c981f76fSsthen``` 45*c981f76fSsthen 46*c981f76fSsthen### Notes: 47*c981f76fSsthen* To enable this module the root privileges is required. 48*c981f76fSsthen* Please create a set with ipset command first. eg. **ipset -N blacklist iphash** 49*c981f76fSsthen 50*c981f76fSsthen### How to use: 51*c981f76fSsthen``` 52*c981f76fSsthen./configure --enable-ipset 53*c981f76fSsthenmake && make install 54*c981f76fSsthen``` 55*c981f76fSsthen 56*c981f76fSsthen### Configuration: 57*c981f76fSsthen``` 58*c981f76fSsthen# unbound.conf 59*c981f76fSsthenserver: 60*c981f76fSsthen ... 61*c981f76fSsthen local-zone: "example.com" ipset 62*c981f76fSsthen 63*c981f76fSsthenipset: 64*c981f76fSsthen name-v4: "blacklist" 65*c981f76fSsthen``` 66