blob: 6fcd9ef32fe3d716466ecc9e4b115fcfb5c083c7 (
plain) (
tree)
|
|
#!/bin/sh
#
# Redirect All DNS Request Traffic To DNS Server on (Internal) Network
#
# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
#
# Use this at your OWN RISK. It is not fully supported!
# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
#
# (c) 2022 MonkeyCat.com
#
# v0.9 30/May/2022
# uncomment if you setup this dns ruleset
#setup=true
if $setup
then
echo "Please setup your dns server ip, accepted range and if you want logging!"
echo "inside dns_catchall_redirect.* file"
exit
fi
# Our dns server target
SERVER="10.0.80.2"
# double negation :-) see rule (!)
ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
LOGGING=true
# logging prefix
PREFIX="DNS"
PORT=53
case "$1" in
start)
## add your 'start' rules here
# dns logging
if $LOGGING
then
echo "$PREFIX Logging Enabled ($SERVER)"
# udp
iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
# tcp
iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
fi
# dns
echo "$PREFIX Catch All Enabled ($SERVER)"
# udp
iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
# tcp
iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
;;
stop)
## add your 'stop' rules here
# dns logging
if $LOGGING
then
echo $PREFIX Logging Disabled ($SERVER)"
# udp
iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
# tcp
iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
fi
# dns
echo $PREFIX Catch All Disabled ($SERVER)"
# udp
iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
# tcp
iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
flush)
iptables -t nat -F CUSTOMPREROUTING
iptables -t nat -F CUSTOMPOSTROUTING
iptables -F CUSTOMFORWARD
;;
*)
echo "Usage: $0 {start|stop|reload|flush}"
;;
esac
|
