diff options
author | root | 2022-05-30 15:59:54 +0200 |
---|---|---|
committer | root | 2022-05-30 15:59:54 +0200 |
commit | 6891a04373daa365c35828ce71e047f5f14486e4 (patch) | |
tree | 20e71951c13407f5b7c49f3c9336fd876bbea666 /data | |
download | IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.gz IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.bz2 IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.zip |
Beta2: DNS & NTP Redirect To Exernal Working!
Diffstat (limited to 'data')
-rw-r--r-- | data/backups/firewall.2022_05_30_03_41_PM_1653918107.local | 20 | ||||
-rw-r--r-- | data/backups/firewall.2022_05_30_03_42_PM_1653918123.local | 20 | ||||
-rw-r--r-- | data/backups/firewall.2022_05_30_03_42_PM_1653918145.local | 20 | ||||
-rwxr-xr-x | data/backups/firewall.2022_05_30_03_46_PM_1653918417.local | 50 | ||||
-rw-r--r-- | data/backups/firewall.2022_05_30_03_47_PM_1653918430.local | 20 | ||||
-rw-r--r-- | data/originals/firewall.local.167 | 20 | ||||
-rwxr-xr-x | data/originals/firewall.looper | 50 | ||||
l--------- | data/originals/firewall.original | 1 | ||||
-rwxr-xr-x | data/originals/rules.d/dns_catchall_redirect.custom | 132 | ||||
-rwxr-xr-x | data/originals/rules.d/ntp_catchall_redirect.custom | 100 | ||||
-rwxr-xr-x | data/run/firewall.local | 50 |
11 files changed, 483 insertions, 0 deletions
diff --git a/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local b/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/sh | ||
2 | # Used for private firewall rules | ||
3 | |||
4 | # See how we were called. | ||
5 | case "$1" in | ||
6 | start) | ||
7 | ## add your 'start' rules here | ||
8 | ;; | ||
9 | stop) | ||
10 | ## add your 'stop' rules here | ||
11 | ;; | ||
12 | reload) | ||
13 | $0 stop | ||
14 | $0 start | ||
15 | ## add your 'reload' rules here | ||
16 | ;; | ||
17 | *) | ||
18 | echo "Usage: $0 {start|stop|reload}" | ||
19 | ;; | ||
20 | esac | ||
diff --git a/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local b/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/sh | ||
2 | # Used for private firewall rules | ||
3 | |||
4 | # See how we were called. | ||
5 | case "$1" in | ||
6 | start) | ||
7 | ## add your 'start' rules here | ||
8 | ;; | ||
9 | stop) | ||
10 | ## add your 'stop' rules here | ||
11 | ;; | ||
12 | reload) | ||
13 | $0 stop | ||
14 | $0 start | ||
15 | ## add your 'reload' rules here | ||
16 | ;; | ||
17 | *) | ||
18 | echo "Usage: $0 {start|stop|reload}" | ||
19 | ;; | ||
20 | esac | ||
diff --git a/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local b/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/sh | ||
2 | # Used for private firewall rules | ||
3 | |||
4 | # See how we were called. | ||
5 | case "$1" in | ||
6 | start) | ||
7 | ## add your 'start' rules here | ||
8 | ;; | ||
9 | stop) | ||
10 | ## add your 'stop' rules here | ||
11 | ;; | ||
12 | reload) | ||
13 | $0 stop | ||
14 | $0 start | ||
15 | ## add your 'reload' rules here | ||
16 | ;; | ||
17 | *) | ||
18 | echo "Usage: $0 {start|stop|reload}" | ||
19 | ;; | ||
20 | esac | ||
diff --git a/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local b/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local new file mode 100755 index 0000000..273dab3 --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local | |||
@@ -0,0 +1,50 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # IPFire Custom Firewall (icf) | ||
4 | # | ||
5 | # Github: https://github.com/Mnkey | ||
6 | # | ||
7 | # Loops over the local "rules.d/" subfolder files | ||
8 | # Forwarding the (start/stop) command to every file | ||
9 | # which extension is ".on". To enabled multiple | ||
10 | # custom firewall rulesets! | ||
11 | # | ||
12 | # the configuration of the ipfire custom rules (ipfcr) | ||
13 | # in the local "rules.d/*" sunfolder, is inside the | ||
14 | # files themself! | ||
15 | # | ||
16 | # Use this at your OWN RISK. Not fully supported! | ||
17 | # | ||
18 | # License: GPL2 | ||
19 | # | ||
20 | # icf v0.1 (c) 30 May 2022 code.monkeycat.com | ||
21 | # | ||
22 | # Nuff text... | ||
23 | |||
24 | pwd=$PWD | ||
25 | base=${PWD%/*/*} | ||
26 | |||
27 | case "$1" in | ||
28 | start) | ||
29 | find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; | ||
30 | |||
31 | ;; | ||
32 | stop) | ||
33 | find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; | ||
34 | |||
35 | ;; | ||
36 | reload) | ||
37 | $0 stop | ||
38 | $0 start | ||
39 | |||
40 | ;; | ||
41 | flush) | ||
42 | iptables -t nat -F CUSTOMPREROUTING | ||
43 | iptables -t nat -F CUSTOMPOSTROUTING | ||
44 | iptables -F CUSTOMFORWARD | ||
45 | |||
46 | ;; | ||
47 | *) | ||
48 | echo "Usage: $0 {start|stop|reload|flush}" | ||
49 | ;; | ||
50 | esac | ||
diff --git a/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local b/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/sh | ||
2 | # Used for private firewall rules | ||
3 | |||
4 | # See how we were called. | ||
5 | case "$1" in | ||
6 | start) | ||
7 | ## add your 'start' rules here | ||
8 | ;; | ||
9 | stop) | ||
10 | ## add your 'stop' rules here | ||
11 | ;; | ||
12 | reload) | ||
13 | $0 stop | ||
14 | $0 start | ||
15 | ## add your 'reload' rules here | ||
16 | ;; | ||
17 | *) | ||
18 | echo "Usage: $0 {start|stop|reload}" | ||
19 | ;; | ||
20 | esac | ||
diff --git a/data/originals/firewall.local.167 b/data/originals/firewall.local.167 new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/originals/firewall.local.167 | |||
@@ -0,0 +1,20 @@ | |||
1 | #!/bin/sh | ||
2 | # Used for private firewall rules | ||
3 | |||
4 | # See how we were called. | ||
5 | case "$1" in | ||
6 | start) | ||
7 | ## add your 'start' rules here | ||
8 | ;; | ||
9 | stop) | ||
10 | ## add your 'stop' rules here | ||
11 | ;; | ||
12 | reload) | ||
13 | $0 stop | ||
14 | $0 start | ||
15 | ## add your 'reload' rules here | ||
16 | ;; | ||
17 | *) | ||
18 | echo "Usage: $0 {start|stop|reload}" | ||
19 | ;; | ||
20 | esac | ||
diff --git a/data/originals/firewall.looper b/data/originals/firewall.looper new file mode 100755 index 0000000..4b9d78e --- /dev/null +++ b/data/originals/firewall.looper | |||
@@ -0,0 +1,50 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # IPFire Custom Rules (icr) | ||
4 | # | ||
5 | # Github: https://github.com/MonkeyCat/IPFireCustomRules | ||
6 | # | ||
7 | # Loops over the local "rules.d/" subfolder files | ||
8 | # Forwarding the (start/stop) command to every file | ||
9 | # which extension is ".on". To enabled multiple | ||
10 | # custom firewall rulesets! | ||
11 | # | ||
12 | # the configuration of the ipfire custom rules (ipfcr) | ||
13 | # in the local "rules.d/*" sunfolder, is inside the | ||
14 | # files themself! | ||
15 | # | ||
16 | # Use this at your OWN RISK. Not fully supported! | ||
17 | # | ||
18 | # License: GPL2 | ||
19 | # | ||
20 | # icr v0.1 (c) 30 May 2022 code.monkeycat.com | ||
21 | # | ||
22 | # Nuff text... | ||
23 | |||
24 | pwd=$PWD | ||
25 | base=${PWD%/*/*} | ||
26 | |||
27 | case "$1" in | ||
28 | start) | ||
29 | find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; | ||
30 | |||
31 | ;; | ||
32 | stop) | ||
33 | find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; | ||
34 | |||
35 | ;; | ||
36 | reload) | ||
37 | $0 stop | ||
38 | $0 start | ||
39 | |||
40 | ;; | ||
41 | flush) | ||
42 | iptables -t nat -F CUSTOMPREROUTING | ||
43 | iptables -t nat -F CUSTOMPOSTROUTING | ||
44 | iptables -F CUSTOMFORWARD | ||
45 | |||
46 | ;; | ||
47 | *) | ||
48 | echo "Usage: $0 {start|stop|reload|flush}" | ||
49 | ;; | ||
50 | esac | ||
diff --git a/data/originals/firewall.original b/data/originals/firewall.original new file mode 120000 index 0000000..d6f1586 --- /dev/null +++ b/data/originals/firewall.original | |||
@@ -0,0 +1 @@ | |||
firewall.local.167 \ No newline at end of file | |||
diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom new file mode 100755 index 0000000..6fcd9ef --- /dev/null +++ b/data/originals/rules.d/dns_catchall_redirect.custom | |||
@@ -0,0 +1,132 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # Redirect All DNS Request Traffic To DNS Server on (Internal) Network | ||
4 | # | ||
5 | # (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) | ||
6 | # | ||
7 | # Use this at your OWN RISK. It is not fully supported! | ||
8 | # https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 | ||
9 | # | ||
10 | # (c) 2022 MonkeyCat.com | ||
11 | # | ||
12 | # v0.9 30/May/2022 | ||
13 | |||
14 | |||
15 | # uncomment if you setup this dns ruleset | ||
16 | #setup=true | ||
17 | |||
18 | |||
19 | |||
20 | if $setup | ||
21 | then | ||
22 | echo "Please setup your dns server ip, accepted range and if you want logging!" | ||
23 | echo "inside dns_catchall_redirect.* file" | ||
24 | exit | ||
25 | fi | ||
26 | |||
27 | # Our dns server target | ||
28 | SERVER="10.0.80.2" | ||
29 | |||
30 | # double negation :-) see rule (!) | ||
31 | ONLY_ACCEPT_INTERNAL="10.0.0.0/8" | ||
32 | |||
33 | LOGGING=true | ||
34 | |||
35 | |||
36 | |||
37 | # logging prefix | ||
38 | PREFIX="DNS" | ||
39 | PORT=53 | ||
40 | |||
41 | case "$1" in | ||
42 | start) | ||
43 | ## add your 'start' rules here | ||
44 | |||
45 | # dns logging | ||
46 | if $LOGGING | ||
47 | then | ||
48 | echo "$PREFIX Logging Enabled ($SERVER)" | ||
49 | # udp | ||
50 | iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " | ||
51 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " | ||
52 | iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " | ||
53 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " | ||
54 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " | ||
55 | # tcp | ||
56 | iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " | ||
57 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " | ||
58 | iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " | ||
59 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " | ||
60 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " | ||
61 | fi | ||
62 | |||
63 | # dns | ||
64 | echo "$PREFIX Catch All Enabled ($SERVER)" | ||
65 | # udp | ||
66 | iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT | ||
67 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP | ||
68 | iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT | ||
69 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
70 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE | ||
71 | # tcp | ||
72 | iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT | ||
73 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP | ||
74 | iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT | ||
75 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
76 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE | ||
77 | |||
78 | ;; | ||
79 | stop) | ||
80 | ## add your 'stop' rules here | ||
81 | |||
82 | |||
83 | # dns logging | ||
84 | if $LOGGING | ||
85 | then | ||
86 | echo $PREFIX Logging Disabled ($SERVER)" | ||
87 | # udp | ||
88 | iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " | ||
89 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " | ||
90 | iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " | ||
91 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " | ||
92 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " | ||
93 | # tcp | ||
94 | iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " | ||
95 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " | ||
96 | iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " | ||
97 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " | ||
98 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " | ||
99 | fi | ||
100 | |||
101 | # dns | ||
102 | echo $PREFIX Catch All Disabled ($SERVER)" | ||
103 | # udp | ||
104 | iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT | ||
105 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP | ||
106 | iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT | ||
107 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
108 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE | ||
109 | # tcp | ||
110 | iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT | ||
111 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP | ||
112 | iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT | ||
113 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
114 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE | ||
115 | |||
116 | ;; | ||
117 | reload) | ||
118 | $0 stop | ||
119 | $0 start | ||
120 | ## add your 'reload' rules here | ||
121 | |||
122 | ;; | ||
123 | flush) | ||
124 | iptables -t nat -F CUSTOMPREROUTING | ||
125 | iptables -t nat -F CUSTOMPOSTROUTING | ||
126 | iptables -F CUSTOMFORWARD | ||
127 | |||
128 | ;; | ||
129 | *) | ||
130 | echo "Usage: $0 {start|stop|reload|flush}" | ||
131 | ;; | ||
132 | esac | ||
diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/data/originals/rules.d/ntp_catchall_redirect.custom | |||
@@ -0,0 +1,100 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # Redirect All Time Servers Traffic Request To Time Server on (Internal) Network | ||
4 | # | ||
5 | # (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) | ||
6 | # | ||
7 | # Use this at your OWN RISK. It is not fully supported! | ||
8 | # https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 | ||
9 | # | ||
10 | # (c) 2022 MonkeyCat.com | ||
11 | # | ||
12 | # v1.0a 30/May/2022 | ||
13 | |||
14 | |||
15 | # uncomment if you setup this ntp ruleset | ||
16 | #setup=true | ||
17 | |||
18 | |||
19 | |||
20 | if $setup | ||
21 | then | ||
22 | echo "Please setup your time server ip, accepted range and if you want logging!" | ||
23 | echo "inside "ntp_catchall_redirect.* file" | ||
24 | exit | ||
25 | fi | ||
26 | |||
27 | # Our timer server target | ||
28 | SERVER="10.0.0.5" | ||
29 | |||
30 | # double negation :-) see rule (!) | ||
31 | ONLY_ACCEPT_INTERNAL="10.0.0.0/8" | ||
32 | |||
33 | LOGGING=false | ||
34 | |||
35 | |||
36 | |||
37 | # logging prefix | ||
38 | PREFIX="NTP" | ||
39 | PORT=123 | ||
40 | |||
41 | case "$1" in | ||
42 | start) | ||
43 | # ntp logging | ||
44 | if $LOGGING | ||
45 | then | ||
46 | echo "$PREFIX Logging Enabled ($SERVER)" | ||
47 | iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " | ||
48 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " | ||
49 | iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " | ||
50 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " | ||
51 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " | ||
52 | fi | ||
53 | |||
54 | # ntp | ||
55 | echo "$PREFIX Catch All Enabled ($SERVER)" | ||
56 | iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT | ||
57 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP | ||
58 | |||
59 | iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT | ||
60 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
61 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE | ||
62 | |||
63 | ;; | ||
64 | stop) | ||
65 | # ntp logging | ||
66 | if $LOGGING | ||
67 | then | ||
68 | echo "$PREFIX Logging Disabled ($SERVER)" | ||
69 | iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " | ||
70 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " | ||
71 | iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " | ||
72 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " | ||
73 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " | ||
74 | fi | ||
75 | |||
76 | # ntp | ||
77 | echo "$PREFIX Catch All Disabled ($SERVER)" | ||
78 | iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT | ||
79 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP | ||
80 | iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT | ||
81 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
82 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE | ||
83 | |||
84 | ;; | ||
85 | reload) | ||
86 | $0 stop | ||
87 | $0 start | ||
88 | ## add your 'reload' rules here | ||
89 | |||
90 | ;; | ||
91 | flush) | ||
92 | iptables -t nat -F CUSTOMPREROUTING | ||
93 | iptables -t nat -F CUSTOMPOSTROUTING | ||
94 | iptables -F CUSTOMFORWARD | ||
95 | |||
96 | ;; | ||
97 | *) | ||
98 | echo "Usage: $0 {start|stop|reload|flush}" | ||
99 | ;; | ||
100 | esac | ||
diff --git a/data/run/firewall.local b/data/run/firewall.local new file mode 100755 index 0000000..4b9d78e --- /dev/null +++ b/data/run/firewall.local | |||
@@ -0,0 +1,50 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # IPFire Custom Rules (icr) | ||
4 | # | ||
5 | # Github: https://github.com/MonkeyCat/IPFireCustomRules | ||
6 | # | ||
7 | # Loops over the local "rules.d/" subfolder files | ||
8 | # Forwarding the (start/stop) command to every file | ||
9 | # which extension is ".on". To enabled multiple | ||
10 | # custom firewall rulesets! | ||
11 | # | ||
12 | # the configuration of the ipfire custom rules (ipfcr) | ||
13 | # in the local "rules.d/*" sunfolder, is inside the | ||
14 | # files themself! | ||
15 | # | ||
16 | # Use this at your OWN RISK. Not fully supported! | ||
17 | # | ||
18 | # License: GPL2 | ||
19 | # | ||
20 | # icr v0.1 (c) 30 May 2022 code.monkeycat.com | ||
21 | # | ||
22 | # Nuff text... | ||
23 | |||
24 | pwd=$PWD | ||
25 | base=${PWD%/*/*} | ||
26 | |||
27 | case "$1" in | ||
28 | start) | ||
29 | find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; | ||
30 | |||
31 | ;; | ||
32 | stop) | ||
33 | find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; | ||
34 | |||
35 | ;; | ||
36 | reload) | ||
37 | $0 stop | ||
38 | $0 start | ||
39 | |||
40 | ;; | ||
41 | flush) | ||
42 | iptables -t nat -F CUSTOMPREROUTING | ||
43 | iptables -t nat -F CUSTOMPOSTROUTING | ||
44 | iptables -F CUSTOMFORWARD | ||
45 | |||
46 | ;; | ||
47 | *) | ||
48 | echo "Usage: $0 {start|stop|reload|flush}" | ||
49 | ;; | ||
50 | esac | ||