Beta2: DNS & NTP Redirect To Exernal Working!

author: root 2022-05-30 15:59:54 +0200
committer: root 2022-05-30 15:59:54 +0200
commit: 6891a04373daa365c35828ce71e047f5f14486e4 (patch)
tree: 20e71951c13407f5b7c49f3c9336fd876bbea666
download: IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.gz
IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.bz2
IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.zip
16 files changed, 766 insertions, 0 deletions
diff --git a/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local b/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local
new file mode 100644
index 0000000..5e4677f
--- /dev/null
+++ b/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Used for private firewall rules
+# See how we were called.
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload}"
+        ;;
+esac
diff --git a/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local b/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local
new file mode 100644
index 0000000..5e4677f
--- /dev/null
+++ b/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Used for private firewall rules
+# See how we were called.
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload}"
+        ;;
+esac
diff --git a/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local b/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local
new file mode 100644
index 0000000..5e4677f
--- /dev/null
+++ b/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Used for private firewall rules
+# See how we were called.
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload}"
+        ;;
+esac
diff --git a/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local b/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local
new file mode 100755
index 0000000..273dab3
--- /dev/null
+++ b/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local
@@ -0,0 +1,50 @@
+#!/bin/sh
+# 
+# IPFire Custom Firewall (icf)
+# 
+# Github: https://github.com/Mnkey
+#
+# Loops over the local "rules.d/" subfolder files
+# Forwarding the (start/stop) command to every file
+# which extension is ".on". To enabled multiple
+# custom firewall rulesets!
+#
+# the configuration of the ipfire custom rules (ipfcr)
+# in the local "rules.d/*" sunfolder, is inside the
+# files themself! 
+#
+# Use this at your OWN RISK.  Not fully supported!
+#
+# License: GPL2 
+#
+# icf v0.1 (c) 30 May 2022 code.monkeycat.com
+#
+# Nuff text...
+pwd=$PWD
+base=${PWD%/*/*}
+case "$1" in
+  start)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+        ;;
+  stop)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local b/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local
new file mode 100644
index 0000000..5e4677f
--- /dev/null
+++ b/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Used for private firewall rules
+# See how we were called.
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload}"
+        ;;
+esac
diff --git a/data/originals/firewall.local.167 b/data/originals/firewall.local.167
new file mode 100644
index 0000000..5e4677f
--- /dev/null
+++ b/data/originals/firewall.local.167
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Used for private firewall rules
+# See how we were called.
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload}"
+        ;;
+esac
diff --git a/data/originals/firewall.looper b/data/originals/firewall.looper
new file mode 100755
index 0000000..4b9d78e
--- /dev/null
+++ b/data/originals/firewall.looper
@@ -0,0 +1,50 @@
+#!/bin/sh
+# 
+# IPFire Custom Rules (icr)
+# 
+# Github: https://github.com/MonkeyCat/IPFireCustomRules
+#
+# Loops over the local "rules.d/" subfolder files
+# Forwarding the (start/stop) command to every file
+# which extension is ".on". To enabled multiple
+# custom firewall rulesets!
+#
+# the configuration of the ipfire custom rules (ipfcr)
+# in the local "rules.d/*" sunfolder, is inside the
+# files themself! 
+#
+# Use this at your OWN RISK.  Not fully supported!
+#
+# License: GPL2 
+#
+# icr v0.1 (c) 30 May 2022 code.monkeycat.com
+#
+# Nuff text...
+pwd=$PWD
+base=${PWD%/*/*}
+case "$1" in
+  start)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+        ;;
+  stop)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/originals/firewall.original b/data/originals/firewall.original
new file mode 120000
index 0000000..d6f1586
--- /dev/null
+++ b/data/originals/firewall.original
@@ -0,0 +1 @@
+firewall.local.167
+\ No newline at end of file
diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom
new file mode 100755
index 0000000..6fcd9ef
--- /dev/null
+++ b/data/originals/rules.d/dns_catchall_redirect.custom
@@ -0,0 +1,132 @@
+#!/bin/sh
+#
+# Redirect All DNS Request Traffic To DNS Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v0.9 30/May/2022
+# uncomment if you setup this dns ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your dns server ip, accepted range and if you want logging!"
+    echo "inside dns_catchall_redirect.* file"
+    exit
+fi
+# Our dns server target
+SERVER="10.0.80.2"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=true
+# logging prefix            
+PREFIX="DNS"
+PORT=53
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        # dns logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            # udp
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+            # tcp
+            iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+        # dns 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        # udp 
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        # tcp
+        iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        # dns logging
+        if $LOGGING
+        then
+            echo $PREFIX Logging Disabled ($SERVER)"
+              # udp
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+              # tcp
+            iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+        # dns
+        echo $PREFIX Catch All Disabled ($SERVER)"
+          # udp
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+          # tcp
+        iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom
new file mode 100755
index 0000000..0810740
--- /dev/null
+++ b/data/originals/rules.d/ntp_catchall_redirect.custom
@@ -0,0 +1,100 @@
+#!/bin/sh
+#
+# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v1.0a 30/May/2022
+# uncomment if you setup this ntp ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your time server ip, accepted range and if you want logging!"
+    echo "inside "ntp_catchall_redirect.* file"
+    exit
+fi
+# Our timer server target
+SERVER="10.0.0.5"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=false
+# logging prefix
+PREFIX="NTP"
+PORT=123
+case "$1" in
+  start)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Disabled ($SERVER)"
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Disabled ($SERVER)"
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/run/firewall.local b/data/run/firewall.local
new file mode 100755
index 0000000..4b9d78e
--- /dev/null
+++ b/data/run/firewall.local
@@ -0,0 +1,50 @@
+#!/bin/sh
+# 
+# IPFire Custom Rules (icr)
+# 
+# Github: https://github.com/MonkeyCat/IPFireCustomRules
+#
+# Loops over the local "rules.d/" subfolder files
+# Forwarding the (start/stop) command to every file
+# which extension is ".on". To enabled multiple
+# custom firewall rulesets!
+#
+# the configuration of the ipfire custom rules (ipfcr)
+# in the local "rules.d/*" sunfolder, is inside the
+# files themself! 
+#
+# Use this at your OWN RISK.  Not fully supported!
+#
+# License: GPL2 
+#
+# icr v0.1 (c) 30 May 2022 code.monkeycat.com
+#
+# Nuff text...
+pwd=$PWD
+base=${PWD%/*/*}
+case "$1" in
+  start)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+        ;;
+  stop)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/install b/install
new file mode 100755
index 0000000..d16dbfa
--- /dev/null
+++ b/install
@@ -0,0 +1,28 @@
+#!/bin/sh
+# backup... tjust in case...
+echo "Backup of firewall.local -> $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local"
+mkdir -p $PWD/data/backups
+cp /etc/sysconfig/firewall.local $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local
+# Another backup!
+echo "Backup of firewall.local -> firewall.local.old"
+cp -PL /etc/sysconfig/firewall.local /etc/sysconfig/firewall.local.old
+# iterator
+if [[ ! -L "/etc/sysconfig/firewall.local" ]] ; then
+    echo "Linking IPFire Custom Firewall Rules Looper"
+    echo "Installing $PWD/data/executable/firewall.local -> /etc/sysconfig/firewall.local"
+    rm /etc/sysconfig/firewall.local
+    cp $PWD/data/originals/firewall.looper $PWD/data/run/firewall.local
+    ln -s $PWD/data/run/firewall.local /etc/sysconfig/firewall.local
+fi
+# rules!
+if [[ ! -L "/etc/sysconfig/rules.d" ]] ; then
+    echo "Linking IPFire Custom Firewall Rules"
+    echo "Installing $PWD/rules.d/ -> /etc/sysconfig/rules.d"
+    ln -s $PWD/rules.d /etc/sysconfig/rules.d
+fi
diff --git a/renew b/renew
new file mode 100755
index 0000000..28282f2
--- /dev/null
+++ b/renew
@@ -0,0 +1,2 @@
+#!/bin/sh
+/etc/init.d/firewall reload
diff --git a/rules.d/dns_catchall_redirect.on b/rules.d/dns_catchall_redirect.on
new file mode 100755
index 0000000..6fcd9ef
--- /dev/null
+++ b/rules.d/dns_catchall_redirect.on
@@ -0,0 +1,132 @@
+#!/bin/sh
+#
+# Redirect All DNS Request Traffic To DNS Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v0.9 30/May/2022
+# uncomment if you setup this dns ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your dns server ip, accepted range and if you want logging!"
+    echo "inside dns_catchall_redirect.* file"
+    exit
+fi
+# Our dns server target
+SERVER="10.0.80.2"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=true
+# logging prefix            
+PREFIX="DNS"
+PORT=53
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        # dns logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            # udp
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+            # tcp
+            iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+        # dns 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        # udp 
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        # tcp
+        iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        # dns logging
+        if $LOGGING
+        then
+            echo $PREFIX Logging Disabled ($SERVER)"
+              # udp
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+              # tcp
+            iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+        # dns
+        echo $PREFIX Catch All Disabled ($SERVER)"
+          # udp
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+          # tcp
+        iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/rules.d/ntp_catchall_redirect.on b/rules.d/ntp_catchall_redirect.on
new file mode 100755
index 0000000..0810740
--- /dev/null
+++ b/rules.d/ntp_catchall_redirect.on
@@ -0,0 +1,100 @@
+#!/bin/sh
+#
+# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v1.0a 30/May/2022
+# uncomment if you setup this ntp ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your time server ip, accepted range and if you want logging!"
+    echo "inside "ntp_catchall_redirect.* file"
+    exit
+fi
+# Our timer server target
+SERVER="10.0.0.5"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=false
+# logging prefix
+PREFIX="NTP"
+PORT=123
+case "$1" in
+  start)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Disabled ($SERVER)"
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Disabled ($SERVER)"
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/uninstall b/uninstall
new file mode 100755
index 0000000..121a753
--- /dev/null
+++ b/uninstall
@@ -0,0 +1,21 @@
+#!/bin/sh
+# backup... tjust in case...
+echo "Backup of firewall.local -> $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local"
+mkdir -p $PWD/data/backups
+cp /etc/sysconfig/firewall.local $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local
+# Another backup!
+echo "Backup of firewall.local -> firewall.local.old"
+cp -PL /etc/sysconfig/firewall.local /etc/sysconfig/firewall.local.old
+rm /etc/sysconfig/firewall.local
+# Removing rules symbolic link
+echo "Removing IPFire Custom Firewall Rules"
+if [[ -L "/etc/sysconfig/rules.d" ]] ; then
+    rm /etc/sysconfig/rules.d
+fi
+echo "Removing IPFire Custom Firewall Rules Looper"
+echo "Restore of $PWD/data/originals/firewall.original /etc/sysconfig/firewall.local"
+cp $PWD/data/originals/firewall.original /etc/sysconfig/firewall.local
author	root	2022-05-30 15:59:54 +0200
committer	root	2022-05-30 15:59:54 +0200
commit	6891a04373daa365c35828ce71e047f5f14486e4 (patch)
tree	20e71951c13407f5b7c49f3c9336fd876bbea666
download	IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.gz IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.bz2 IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.zip