pihole

pihole/clear_logs.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+systemctl stop pihole-FTL
+rm -f /etc/pihole/pihole-FTL.db
+systemctl start pihole-FTL

pihole/edit-hosts.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+nvim /etc/pihole/pihole.toml
+
+rc-service pihole-FTL restart

pihole/gravity.sh

@@ -0,0 +1,9 @@
+#!/bin/sh -x
+
+
+sh ~/nuke-iptables.sh
+pihole -g
+sh ~/iptables-pihole.sh
+
+echo
+echo "DONE."

pihole/iptables-pihole.sh

@@ -0,0 +1,90 @@
+#!/bin/sh
+#
+# mitchs iptables pihole config
+# -------------------------------------------
+
+# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
+# variables
+# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
+SUBNET=192.168.100
+PIHOLE=$SUBNET.200
+# =/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=
+
+# flush
+iptables -F
+
+# deny all default
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+
+# dns to/from pihole (self)
+iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport 53 -m state --state NEW
+iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport 53 -m state --state NEW
+iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p udp --dport 53 -m state --state NEW
+iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p udp --sport 53 -m state --state NEW
+
+iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport 53 -m state --state ESTABLISHED,RELATED
+iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED
+iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p udp --dport 53 -m state --state ESTABLISHED,RELATED
+iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p udp --sport 53 -m state --state ESTABLISHED,RELATED
+
+# -----------------------------------------------------------
+# dns to/from 9.9.9.9
+iptables -A OUTPUT -j ACCEPT -d 9.9.9.9/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -j ACCEPT -d 9.9.9.9/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -s 9.9.9.9/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -s 9.9.9.9/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
+# and quad9s alt
+iptables -A OUTPUT -j ACCEPT -d 149.112.112.112/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -j ACCEPT -d 149.112.112.112/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -s 149.112.112.112/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -s 149.112.112.112/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
+# dns.watch
+iptables -A OUTPUT -j ACCEPT -d 84.200.68.80/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -j ACCEPT -d 84.200.68.80/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -s 84.200.68.80/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -s 84.200.68.80/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
+# dns.watch alt
+iptables -A OUTPUT -j ACCEPT -d 84.200.70.40/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -j ACCEPT -d 84.200.70.40/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -s 84.200.70.40/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -s 84.200.70.40/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
+# -----------------------------------------------------------
+
+# permit local ssh
+iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW
+iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW
+iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED
+iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED
+
+# permit outgoing http,https,ftp as well for updates and things
+iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW,ESTABLISHED
+iptables -A OUTPUT -j ACCEPT -p tcp --dport 443 -m state --state NEW,ESTABLISHED
+iptables -A OUTPUT -j ACCEPT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
+
+# allow pihole ftl
+iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport 80 -m state --state NEW
+iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 80 -m state --state ESTABLISHED
+
+# allow telnet ftl api (port 4711)
+# ----- important: but only originating from our localhost outbound; not in
+iptables -A INPUT -s 127.0.0.1/24 -j ACCEPT -p tcp --dport 4711 -m state --state NEW
+iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 4711 -m state --state ESTABLISHED
+
+# permit loopback
+iptables -A OUTPUT -j ACCEPT -o lo
+
+# permit established
+iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
+
+# save
+if command -v systemctl >/dev/null 2>&1 ; then
+	if [ -f /etc/sysconfig/iptables ] ; then
+		iptables-save -f /etc/sysconfig/iptables
+	elif [ -f /etc/iptables/iptables.rules ] ; then
+		iptables-save -f /etc/iptables/iptables.rules
+	fi
+elif command -v rc-service >/dev/null 2>&1 ; then
+	/etc/init.d/iptables save
+fi

pihole/nuke-iptables.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# https://github.com/mitchweaver
+#
+# ever bork your iptable config and need
+# to rule out it being the problem?
+#
+
+ip6tables --policy INPUT   ACCEPT;
+ip6tables --policy OUTPUT  ACCEPT;
+ip6tables --policy FORWARD ACCEPT;
+
+ip6tables -Z; # zero counters
+ip6tables -F; # flush rules
+ip6tables -X; # delete all chains
+
+iptables --policy INPUT   ACCEPT;
+iptables --policy OUTPUT  ACCEPT;
+iptables --policy FORWARD ACCEPT;
+
+iptables -Z; # zero counters
+iptables -F; # flush rules
+iptables -X; # delete all chains

pihole/update-pihole.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+apk update
+apk upgrade --force-missing-repositories
+
+pihole -up
+