From 0fee49d36e63e1bcf14b12b3a391f51135691413 Mon Sep 17 00:00:00 2001 From: wvr Date: Tue, 10 Feb 2026 14:38:00 -0600 Subject: [PATCH] pihole --- pihole/clear_logs.sh | 5 +++ pihole/edit-hosts.sh | 5 +++ pihole/gravity.sh | 9 ++++ pihole/iptables-pihole.sh | 90 +++++++++++++++++++++++++++++++++++++ pihole/{ => lists}/lists.md | 0 pihole/nuke-iptables.sh | 23 ++++++++++ pihole/update-pihole.sh | 7 +++ 7 files changed, 139 insertions(+) create mode 100755 pihole/clear_logs.sh create mode 100755 pihole/edit-hosts.sh create mode 100755 pihole/gravity.sh create mode 100755 pihole/iptables-pihole.sh rename pihole/{ => lists}/lists.md (100%) create mode 100755 pihole/nuke-iptables.sh create mode 100755 pihole/update-pihole.sh diff --git a/pihole/clear_logs.sh b/pihole/clear_logs.sh new file mode 100755 index 0000000..bc962b7 --- /dev/null +++ b/pihole/clear_logs.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +systemctl stop pihole-FTL +rm -f /etc/pihole/pihole-FTL.db +systemctl start pihole-FTL diff --git a/pihole/edit-hosts.sh b/pihole/edit-hosts.sh new file mode 100755 index 0000000..5396733 --- /dev/null +++ b/pihole/edit-hosts.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +nvim /etc/pihole/pihole.toml + +rc-service pihole-FTL restart diff --git a/pihole/gravity.sh b/pihole/gravity.sh new file mode 100755 index 0000000..797861c --- /dev/null +++ b/pihole/gravity.sh @@ -0,0 +1,9 @@ +#!/bin/sh -x + + +sh ~/nuke-iptables.sh +pihole -g +sh ~/iptables-pihole.sh + +echo +echo "DONE." diff --git a/pihole/iptables-pihole.sh b/pihole/iptables-pihole.sh new file mode 100755 index 0000000..1b35ebc --- /dev/null +++ b/pihole/iptables-pihole.sh @@ -0,0 +1,90 @@ +#!/bin/sh +# +# mitchs iptables pihole config +# ------------------------------------------- + +# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +# variables +# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +SUBNET=192.168.100 +PIHOLE=$SUBNET.200 +# =/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/= + +# flush +iptables -F + +# deny all default +iptables -P OUTPUT DROP +iptables -P INPUT DROP +iptables -P FORWARD DROP + +# dns to/from pihole (self) +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport 53 -m state --state NEW +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport 53 -m state --state NEW +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p udp --dport 53 -m state --state NEW +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p udp --sport 53 -m state --state NEW + +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport 53 -m state --state ESTABLISHED,RELATED +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p udp --dport 53 -m state --state ESTABLISHED,RELATED +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p udp --sport 53 -m state --state ESTABLISHED,RELATED + +# ----------------------------------------------------------- +# dns to/from 9.9.9.9 +iptables -A OUTPUT -j ACCEPT -d 9.9.9.9/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A OUTPUT -j ACCEPT -d 9.9.9.9/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A INPUT -j ACCEPT -s 9.9.9.9/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A INPUT -j ACCEPT -s 9.9.9.9/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED +# and quad9s alt +iptables -A OUTPUT -j ACCEPT -d 149.112.112.112/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A OUTPUT -j ACCEPT -d 149.112.112.112/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A INPUT -j ACCEPT -s 149.112.112.112/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A INPUT -j ACCEPT -s 149.112.112.112/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED +# dns.watch +iptables -A OUTPUT -j ACCEPT -d 84.200.68.80/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A OUTPUT -j ACCEPT -d 84.200.68.80/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A INPUT -j ACCEPT -s 84.200.68.80/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A INPUT -j ACCEPT -s 84.200.68.80/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED +# dns.watch alt +iptables -A OUTPUT -j ACCEPT -d 84.200.70.40/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A OUTPUT -j ACCEPT -d 84.200.70.40/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A INPUT -j ACCEPT -s 84.200.70.40/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED +iptables -A INPUT -j ACCEPT -s 84.200.70.40/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED +# ----------------------------------------------------------- + +# permit local ssh +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED + +# permit outgoing http,https,ftp as well for updates and things +iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW,ESTABLISHED +iptables -A OUTPUT -j ACCEPT -p tcp --dport 443 -m state --state NEW,ESTABLISHED +iptables -A OUTPUT -j ACCEPT -p tcp --dport 21 -m state --state NEW,ESTABLISHED + +# allow pihole ftl +iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport 80 -m state --state NEW +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 80 -m state --state ESTABLISHED + +# allow telnet ftl api (port 4711) +# ----- important: but only originating from our localhost outbound; not in +iptables -A INPUT -s 127.0.0.1/24 -j ACCEPT -p tcp --dport 4711 -m state --state NEW +iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 4711 -m state --state ESTABLISHED + +# permit loopback +iptables -A OUTPUT -j ACCEPT -o lo + +# permit established +iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED + +# save +if command -v systemctl >/dev/null 2>&1 ; then + if [ -f /etc/sysconfig/iptables ] ; then + iptables-save -f /etc/sysconfig/iptables + elif [ -f /etc/iptables/iptables.rules ] ; then + iptables-save -f /etc/iptables/iptables.rules + fi +elif command -v rc-service >/dev/null 2>&1 ; then + /etc/init.d/iptables save +fi diff --git a/pihole/lists.md b/pihole/lists/lists.md similarity index 100% rename from pihole/lists.md rename to pihole/lists/lists.md diff --git a/pihole/nuke-iptables.sh b/pihole/nuke-iptables.sh new file mode 100755 index 0000000..89e0a14 --- /dev/null +++ b/pihole/nuke-iptables.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# +# https://github.com/mitchweaver +# +# ever bork your iptable config and need +# to rule out it being the problem? +# + +ip6tables --policy INPUT ACCEPT; +ip6tables --policy OUTPUT ACCEPT; +ip6tables --policy FORWARD ACCEPT; + +ip6tables -Z; # zero counters +ip6tables -F; # flush rules +ip6tables -X; # delete all chains + +iptables --policy INPUT ACCEPT; +iptables --policy OUTPUT ACCEPT; +iptables --policy FORWARD ACCEPT; + +iptables -Z; # zero counters +iptables -F; # flush rules +iptables -X; # delete all chains diff --git a/pihole/update-pihole.sh b/pihole/update-pihole.sh new file mode 100755 index 0000000..574a386 --- /dev/null +++ b/pihole/update-pihole.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +apk update +apk upgrade --force-missing-repositories + +pihole -up +