Reformat.

2025-07-21 21:51:29 -04:00 · 2025-07-21 21:51:29 -04:00 · 075ee4c05f
commit 075ee4c05f
parent c838f1e6e5
1 changed files with 7 additions and 7 deletions
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@ -212,7 +212,7 @@
        ##############################################################################
        # DNS INTERCEPTION - Force all DNS through AdGuard Home
        ##############################################################################
-        
+
        # Redirect standard DNS queries (port 53) to AdGuard
        # Skip packets from the router itself to prevent loops
        iptables -t nat -A PREROUTING -i lan -p udp --dport 53 ! -s 192.168.0.1 \
@ -221,7 +221,7 @@
        iptables -t nat -A PREROUTING -i lan -p tcp --dport 53 ! -s 192.168.0.1 \
          -j DNAT --to-destination 192.168.0.1:53 \
          -m comment --comment "Redirect TCP DNS to AdGuard"
-        
+
        # Block any DNS queries that try to bypass AdGuard
        iptables -A FORWARD -i lan -p udp --dport 53 ! -d 192.168.0.1 \
          -j REJECT --reject-with icmp-port-unreachable \
@ -229,17 +229,17 @@
        iptables -A FORWARD -i lan -p tcp --dport 53 ! -d 192.168.0.1 \
          -j REJECT --reject-with tcp-reset \
          -m comment --comment "Block external TCP DNS"
-        
+
        # Block DNS over TLS (DoT) on port 853
        iptables -A FORWARD -i lan -p tcp --dport 853 \
          -j REJECT --reject-with tcp-reset \
          -m comment --comment "Block DNS over TLS"
-        
+
        # Block DNS over QUIC (DoQ) on UDP port 853
        iptables -A FORWARD -i lan -p udp --dport 853 \
          -j REJECT --reject-with icmp-port-unreachable \
          -m comment --comment "Block DNS over QUIC"
-        
+
        # Block known DNS over HTTPS (DoH) providers
        # Google DNS
        iptables -A FORWARD -i lan -d 8.8.8.8 -p tcp --dport 443 -j REJECT \
@ -256,7 +256,7 @@
          -m comment --comment "Block Quad9 DoH"
        iptables -A FORWARD -i lan -d 149.112.112.112 -p tcp --dport 443 -j REJECT \
          -m comment --comment "Block Quad9 DoH"
-        
+
        # Optional: Log DNS bypass attempts for monitoring
        # iptables -A FORWARD -i lan -p udp --dport 53 -j LOG --log-prefix "DNS-BYPASS: " --log-level warning
        # iptables -A FORWARD -i lan -p tcp --dport 853 -j LOG --log-prefix "DoT-ATTEMPT: " --log-level warning
@ -270,7 +270,7 @@

        # Clear mangle table rules
        iptables -t mangle -F FORWARD 2>/dev/null || true
-        
+
        # Clear NAT rules for DNS interception
        iptables -t nat -D PREROUTING -i lan -p udp --dport 53 ! -s 192.168.0.1 -j DNAT --to-destination 192.168.0.1:53 2>/dev/null || true
        iptables -t nat -D PREROUTING -i lan -p tcp --dport 53 ! -s 192.168.0.1 -j DNAT --to-destination 192.168.0.1:53 2>/dev/null || true