Beta2: DNS & NTP Redirect To Exernal Working!

author: root 2022-05-30 15:59:54 +0200
committer: root 2022-05-30 15:59:54 +0200
commit: 6891a04373daa365c35828ce71e047f5f14486e4 (patch)
tree: 20e71951c13407f5b7c49f3c9336fd876bbea666 /rules.d/ntp_catchall_redirect.on
download: IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.gz
IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.bz2
IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.zip
1 files changed, 100 insertions, 0 deletions
diff --git a/rules.d/ntp_catchall_redirect.on b/rules.d/ntp_catchall_redirect.on
new file mode 100755
index 0000000..0810740
--- /dev/null
+++ b/rules.d/ntp_catchall_redirect.on
@@ -0,0 +1,100 @@
+#!/bin/sh
+#
+# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v1.0a 30/May/2022
+# uncomment if you setup this ntp ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your time server ip, accepted range and if you want logging!"
+    echo "inside "ntp_catchall_redirect.* file"
+    exit
+fi
+# Our timer server target
+SERVER="10.0.0.5"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=false
+# logging prefix
+PREFIX="NTP"
+PORT=123
+case "$1" in
+  start)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Disabled ($SERVER)"
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Disabled ($SERVER)"
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
author	root	2022-05-30 15:59:54 +0200
committer	root	2022-05-30 15:59:54 +0200
commit	6891a04373daa365c35828ce71e047f5f14486e4 (patch)
tree	20e71951c13407f5b7c49f3c9336fd876bbea666 /rules.d/ntp_catchall_redirect.on
download	IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.gz IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.tar.bz2 IPFireCustomRules-6891a04373daa365c35828ce71e047f5f14486e4.zip

diff --git a/rules.d/ntp_catchall_redirect.on b/rules.d/ntp_catchall_redirect.on new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/rules.d/ntp_catchall_redirect.on
@@ -0,0 +1,100 @@
	1	#!/bin/sh
	2	#
	3	# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network
	4	#
	5	# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
	6	#
	7	# Use this at your OWN RISK. It is not fully supported!
	8	# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
	9	#
	10	# (c) 2022 MonkeyCat.com
	11	#
	12	# v1.0a 30/May/2022
	13
	14
	15	# uncomment if you setup this ntp ruleset
	16	#setup=true
	17
	18
	19
	20	if $setup
	21	then
	22	echo "Please setup your time server ip, accepted range and if you want logging!"
	23	echo "inside "ntp_catchall_redirect.* file"
	24	exit
	25	fi
	26
	27	# Our timer server target
	28	SERVER="10.0.0.5"
	29
	30	# double negation :-) see rule (!)
	31	ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
	32
	33	LOGGING=false
	34
	35
	36
	37	# logging prefix
	38	PREFIX="NTP"
	39	PORT=123
	40
	41	case "$1" in
	42	start)
	43	# ntp logging
	44	if $LOGGING
	45	then
	46	echo "$PREFIX Logging Enabled ($SERVER)"
	47	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
	48	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
	49	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
	50	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
	51	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
	52	fi
	53
	54	# ntp
	55	echo "$PREFIX Catch All Enabled ($SERVER)"
	56	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	57	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	58
	59	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	60	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	61	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	62
	63	;;
	64	stop)
	65	# ntp logging
	66	if $LOGGING
	67	then
	68	echo "$PREFIX Logging Disabled ($SERVER)"
	69	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
	70	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
	71	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
	72	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
	73	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
	74	fi
	75
	76	# ntp
	77	echo "$PREFIX Catch All Disabled ($SERVER)"
	78	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	79	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	80	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	81	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	82	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	83
	84	;;
	85	reload)
	86	$0 stop
	87	$0 start
	88	## add your 'reload' rules here
	89
	90	;;
	91	flush)
	92	iptables -t nat -F CUSTOMPREROUTING
	93	iptables -t nat -F CUSTOMPOSTROUTING
	94	iptables -F CUSTOMFORWARD
	95
	96	;;
	97	*)
	98	echo "Usage: $0 {start\|stop\|reload\|flush}"
	99	;;
	100	esac