Beta2: DNS & NTP Redirect To Exernal Working!

author: root 2022-05-30 15:59:54 +0200
committer: root 2022-05-30 15:59:54 +0200
commit: 6891a04373daa365c35828ce71e047f5f14486e4 (patch)
tree: 20e71951c13407f5b7c49f3c9336fd876bbea666 /data/originals/rules.d
download: IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.gz
IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.bz2
IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.zip
2 files changed, 232 insertions, 0 deletions
diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom
new file mode 100755
index 0000000..6fcd9ef
--- /dev/null
+++ b/data/originals/rules.d/dns_catchall_redirect.custom
@@ -0,0 +1,132 @@
+#!/bin/sh
+#
+# Redirect All DNS Request Traffic To DNS Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v0.9 30/May/2022
+# uncomment if you setup this dns ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your dns server ip, accepted range and if you want logging!"
+    echo "inside dns_catchall_redirect.* file"
+    exit
+fi
+# Our dns server target
+SERVER="10.0.80.2"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=true
+# logging prefix            
+PREFIX="DNS"
+PORT=53
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        # dns logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            # udp
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+            # tcp
+            iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+        # dns 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        # udp 
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        # tcp
+        iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        # dns logging
+        if $LOGGING
+        then
+            echo $PREFIX Logging Disabled ($SERVER)"
+              # udp
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+              # tcp
+            iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+        # dns
+        echo $PREFIX Catch All Disabled ($SERVER)"
+          # udp
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+          # tcp
+        iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom
new file mode 100755
index 0000000..0810740
--- /dev/null
+++ b/data/originals/rules.d/ntp_catchall_redirect.custom
@@ -0,0 +1,100 @@
+#!/bin/sh
+#
+# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v1.0a 30/May/2022
+# uncomment if you setup this ntp ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your time server ip, accepted range and if you want logging!"
+    echo "inside "ntp_catchall_redirect.* file"
+    exit
+fi
+# Our timer server target
+SERVER="10.0.0.5"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=false
+# logging prefix
+PREFIX="NTP"
+PORT=123
+case "$1" in
+  start)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Disabled ($SERVER)"
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Disabled ($SERVER)"
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
author	root	2022-05-30 15:59:54 +0200
committer	root	2022-05-30 15:59:54 +0200
commit	6891a04373daa365c35828ce71e047f5f14486e4 (patch)
tree	20e71951c13407f5b7c49f3c9336fd876bbea666 /data/originals/rules.d
download	IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.gz IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.bz2 IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.zip

diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom new file mode 100755 index 0000000..6fcd9ef --- /dev/null +++ b/data/originals/rules.d/dns_catchall_redirect.custom
@@ -0,0 +1,132 @@
	1	#!/bin/sh
	2	#
	3	# Redirect All DNS Request Traffic To DNS Server on (Internal) Network
	4	#
	5	# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
	6	#
	7	# Use this at your OWN RISK. It is not fully supported!
	8	# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
	9	#
	10	# (c) 2022 MonkeyCat.com
	11	#
	12	# v0.9 30/May/2022
	13
	14
	15	# uncomment if you setup this dns ruleset
	16	#setup=true
	17
	18
	19
	20	if $setup
	21	then
	22	echo "Please setup your dns server ip, accepted range and if you want logging!"
	23	echo "inside dns_catchall_redirect.* file"
	24	exit
	25	fi
	26
	27	# Our dns server target
	28	SERVER="10.0.80.2"
	29
	30	# double negation :-) see rule (!)
	31	ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
	32
	33	LOGGING=true
	34
	35
	36
	37	# logging prefix
	38	PREFIX="DNS"
	39	PORT=53
	40
	41	case "$1" in
	42	start)
	43	## add your 'start' rules here
	44
	45	# dns logging
	46	if $LOGGING
	47	then
	48	echo "$PREFIX Logging Enabled ($SERVER)"
	49	# udp
	50	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
	51	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
	52	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
	53	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
	54	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
	55	# tcp
	56	iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
	57	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
	58	iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
	59	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
	60	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
	61	fi
	62
	63	# dns
	64	echo "$PREFIX Catch All Enabled ($SERVER)"
	65	# udp
	66	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	67	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	68	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	69	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	70	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	71	# tcp
	72	iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
	73	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
	74	iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
	75	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
	76	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
	77
	78	;;
	79	stop)
	80	## add your 'stop' rules here
	81
	82
	83	# dns logging
	84	if $LOGGING
	85	then
	86	echo $PREFIX Logging Disabled ($SERVER)"
	87	# udp
	88	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
	89	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
	90	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
	91	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
	92	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
	93	# tcp
	94	iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
	95	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
	96	iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
	97	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
	98	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
	99	fi
	100
	101	# dns
	102	echo $PREFIX Catch All Disabled ($SERVER)"
	103	# udp
	104	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	105	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	106	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	107	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	108	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	109	# tcp
	110	iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
	111	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
	112	iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
	113	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
	114	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
	115
	116	;;
	117	reload)
	118	$0 stop
	119	$0 start
	120	## add your 'reload' rules here
	121
	122	;;
	123	flush)
	124	iptables -t nat -F CUSTOMPREROUTING
	125	iptables -t nat -F CUSTOMPOSTROUTING
	126	iptables -F CUSTOMFORWARD
	127
	128	;;
	129	*)
	130	echo "Usage: $0 {start\|stop\|reload\|flush}"
	131	;;
	132	esac


diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/data/originals/rules.d/ntp_catchall_redirect.custom
@@ -0,0 +1,100 @@
	1	#!/bin/sh
	2	#
	3	# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network
	4	#
	5	# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
	6	#
	7	# Use this at your OWN RISK. It is not fully supported!
	8	# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
	9	#
	10	# (c) 2022 MonkeyCat.com
	11	#
	12	# v1.0a 30/May/2022
	13
	14
	15	# uncomment if you setup this ntp ruleset
	16	#setup=true
	17
	18
	19
	20	if $setup
	21	then
	22	echo "Please setup your time server ip, accepted range and if you want logging!"
	23	echo "inside "ntp_catchall_redirect.* file"
	24	exit
	25	fi
	26
	27	# Our timer server target
	28	SERVER="10.0.0.5"
	29
	30	# double negation :-) see rule (!)
	31	ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
	32
	33	LOGGING=false
	34
	35
	36
	37	# logging prefix
	38	PREFIX="NTP"
	39	PORT=123
	40
	41	case "$1" in
	42	start)
	43	# ntp logging
	44	if $LOGGING
	45	then
	46	echo "$PREFIX Logging Enabled ($SERVER)"
	47	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
	48	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
	49	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
	50	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
	51	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
	52	fi
	53
	54	# ntp
	55	echo "$PREFIX Catch All Enabled ($SERVER)"
	56	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	57	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	58
	59	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	60	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	61	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	62
	63	;;
	64	stop)
	65	# ntp logging
	66	if $LOGGING
	67	then
	68	echo "$PREFIX Logging Disabled ($SERVER)"
	69	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
	70	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
	71	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
	72	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
	73	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
	74	fi
	75
	76	# ntp
	77	echo "$PREFIX Catch All Disabled ($SERVER)"
	78	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	79	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	80	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	81	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	82	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	83
	84	;;
	85	reload)
	86	$0 stop
	87	$0 start
	88	## add your 'reload' rules here
	89
	90	;;
	91	flush)
	92	iptables -t nat -F CUSTOMPREROUTING
	93	iptables -t nat -F CUSTOMPOSTROUTING
	94	iptables -F CUSTOMFORWARD
	95
	96	;;
	97	*)
	98	echo "Usage: $0 {start\|stop\|reload\|flush}"
	99	;;
	100	esac