Thanks! I had this issue too. Weirdly, your: sudo bash -c "iptables-save > /etc/pihole/rules.v4" command works, but when I try the V6 version I get the following:
-bash: /etc/pihole/rules.v6”: Permission denied
I should note that I don't have the ULA option on my router, and I'm using PiHole as my DHCP server with IPv6 support disabled... Guess that might have something to do with it?
Thanks TurtleRecall,
Trying that syntax worked for me:
root@raspberrypi:/opt# sudo bash -c iptables-save > /etc/pihole/rules.v4
root@raspberrypi:/opt# sudo bash -c iptables-save > /etc/pihole/rules.v6
I also do not have IPv6 enabled and my router does not have the ULA option (infact in my router i have IPv6 disabled completely) - but I am activating the rules in order to see if it assists with the slow loading of some websites, without enabling ULA since I do not see an option for it in my router.
Great! Weirdly, I'd been trying to reply to aws1971. I realised the reason the commands I was trying weren't working was because the v6 version was getting pasted into Putty with italic quotes?! No idea how I managed that, but both now saved using aws1971's version:
sudo bash -c "iptables-save > /etc/pihole/rules.v4"
sudo bash -c “iptables-save > /etc/pihole/rules.v6”
Running 3.2.1 but still seeing the IPv6 mismatch in setupVars.conf.
Here's an updated version of a script that runs hourly to compare the IPv6 values and update the config if necessary:
Can you make a RHEL version that is easy to read and apply?
Thank you
I made a fresh installation on raspbian stretch and had some issues with saving the iptables correctly. Here is how I fixed it:
ssh-login as pi
sudo su (to get root)
copy/paste and run each of these commands as suggested in the blog post:
iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable
ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable
exit to get pi again
then instead of the iptables-save commands I ran
sudo apt install iptables-persistent
and was quoted if I want to save the current settings. This was the only way I managed to get the rules persistent. You can check the currently used rules with
sudo iptables -L
sudo ip6tables -L
I'm running Pi-hole 3.3 and my router has ULA enabled however I still have this issue. I have tried the iptables solutions posted but this made no difference. In the end I just copied and pasted the ULA from my router config page into setupVars.conf which has solved it for now.
Here are the rich rule versions for anyone that is using firewalld
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port=443 protocol=tcp reject type=tcp-reset'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port=80 protocol=udp reject type=icmp-port-unreachable'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port port=443 protocol=udp reject type=icmp-port-unreachable'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port port=443 protocol=tcp reject type=tcp-reset'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port port=80 protocol=udp reject type=icmp6-port-unreachable'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port port=443 protocol=udp reject type=icmp6-port-unreachable'
Update IPv6 commands, thanks @weust
This is actually what you are supposed to do, but I see that bit of information is difficult to discern from the OP. I will update that. When you add it to your setupVars.conf, that address will be used next time you update the ad lists, and thus used by your Pi-hole, preventing the timeouts.
The last two lines aren't working. They need to bed like this:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port port=80 protocol=udp reject type=icmp6-port-unreachable'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port port=443 protocol=udp reject type=icmp6-port-unreachable'
6 added to icmp6-etc
It's only nessecary to create the directory iptables inside of /etc to get the full path /etc/iptables
Updated my post, thanks.
Note that within the FTLDNS beta testing branches, there is a new option available that allows NXDOMAIN blocking. This should solve all these problems if you're willing to try it out.
https://github.com/pi-hole/FTL/tree/FTLDNS#ftls-config-file
I think we'll be writing a blog post about this, too. Would be cool if someone in here could already confirm that it is a solution for this problem.
Just wanted to give some feedback on the new FTLDNS branch which I'm now running as my main DNS.
After changing to BLOCKINGMODE=NXDOMAIN (it took me a while to locate the readme for this, which if anyone else needs is here: https://github.com/pi-hole/FTL/blob/FTLDNS/README.md ) I'm finding that unexplained delays in page loading have gone and that everything is now loading really quickly. For me personally the NXDOMAIN solution seems preferable to the previous pihole IP solution.
Well done to the developers!
I inserted the BLOCKINGMODE=NXDOMAIN into my /etc/pihole/pihole-FTL.conf and restarted the FTL-Service. But there is no change to recognize. A ping to a blocked DNS-name still resolved to the local IP.
Yes - I ran into that problem initially, but then pihole -up found an update which fixed it for me.
I tried, but updates doesn't work
[i] Checking for updates...
[i] Pi-hole Core: up to date
[i] Web Interface: up to date
curl: (22) The requested URL returned error: 404 Not Found
[i] FTL: update available
[i] Downloading and Installing FTL...curl: (22) The requested URL returned error: 404 Not Found
[✗] Downloading and Installing FTL
Error: URL not found
[✗] FTL Engine not installed.
[i] Restarting services...I can't advise on that, but for me (checked just now):
pi@RPi3-DNS:~ $ pihole -up
[i] Checking for updates...
[i] Pi-hole Core: up to date
[i] Web Interface: up to date
[i] FTL: up to date
[✓] Everything is up to date!
so maybe something else is broken...