5 files changed, 303 insertions, 0 deletions
diff --git a/data/originals/firewall.local.167 b/data/originals/firewall.local.167
new file mode 100644
index 0000000..5e4677f
--- /dev/null
+++ b/data/originals/firewall.local.167
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Used for private firewall rules
+# See how we were called.
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload}"
+        ;;
+esac
diff --git a/data/originals/firewall.looper b/data/originals/firewall.looper
new file mode 100755
index 0000000..4b9d78e
--- /dev/null
+++ b/data/originals/firewall.looper
@@ -0,0 +1,50 @@
+#!/bin/sh
+# 
+# IPFire Custom Rules (icr)
+# 
+# Github: https://github.com/MonkeyCat/IPFireCustomRules
+#
+# Loops over the local "rules.d/" subfolder files
+# Forwarding the (start/stop) command to every file
+# which extension is ".on". To enabled multiple
+# custom firewall rulesets!
+#
+# the configuration of the ipfire custom rules (ipfcr)
+# in the local "rules.d/*" sunfolder, is inside the
+# files themself! 
+#
+# Use this at your OWN RISK.  Not fully supported!
+#
+# License: GPL2 
+#
+# icr v0.1 (c) 30 May 2022 code.monkeycat.com
+#
+# Nuff text...
+pwd=$PWD
+base=${PWD%/*/*}
+case "$1" in
+  start)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+        ;;
+  stop)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/originals/firewall.original b/data/originals/firewall.original
new file mode 120000
index 0000000..d6f1586
--- /dev/null
+++ b/data/originals/firewall.original
@@ -0,0 +1 @@
+firewall.local.167
+\ No newline at end of file
diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom
new file mode 100755
index 0000000..6fcd9ef
--- /dev/null
+++ b/data/originals/rules.d/dns_catchall_redirect.custom
@@ -0,0 +1,132 @@
+#!/bin/sh
+#
+# Redirect All DNS Request Traffic To DNS Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v0.9 30/May/2022
+# uncomment if you setup this dns ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your dns server ip, accepted range and if you want logging!"
+    echo "inside dns_catchall_redirect.* file"
+    exit
+fi
+# Our dns server target
+SERVER="10.0.80.2"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=true
+# logging prefix            
+PREFIX="DNS"
+PORT=53
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        # dns logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            # udp
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+            # tcp
+            iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+        # dns 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        # udp 
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        # tcp
+        iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        # dns logging
+        if $LOGGING
+        then
+            echo $PREFIX Logging Disabled ($SERVER)"
+              # udp
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+              # tcp
+            iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+        # dns
+        echo $PREFIX Catch All Disabled ($SERVER)"
+          # udp
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+          # tcp
+        iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom
new file mode 100755
index 0000000..0810740
--- /dev/null
+++ b/data/originals/rules.d/ntp_catchall_redirect.custom
@@ -0,0 +1,100 @@
+#!/bin/sh
+#
+# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v1.0a 30/May/2022
+# uncomment if you setup this ntp ruleset
+#setup=true
+if $setup
+then
+    echo "Please setup your time server ip, accepted range and if you want logging!"
+    echo "inside "ntp_catchall_redirect.* file"
+    exit
+fi
+# Our timer server target
+SERVER="10.0.0.5"
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+LOGGING=false
+# logging prefix
+PREFIX="NTP"
+PORT=123
+case "$1" in
+  start)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Enabled ($SERVER)"
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  stop)
+        # ntp logging
+        if $LOGGING
+        then
+            echo "$PREFIX Logging Disabled ($SERVER)"
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+        # ntp 
+        echo "$PREFIX Catch All Disabled ($SERVER)"
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac

diff --git a/data/originals/firewall.local.167 b/data/originals/firewall.local.167 new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/originals/firewall.local.167
@@ -0,0 +1,20 @@
	1	#!/bin/sh
	2	# Used for private firewall rules
	3
	4	# See how we were called.
	5	case "$1" in
	6	start)
	7	## add your 'start' rules here
	8	;;
	9	stop)
	10	## add your 'stop' rules here
	11	;;
	12	reload)
	13	$0 stop
	14	$0 start
	15	## add your 'reload' rules here
	16	;;
	17	*)
	18	echo "Usage: $0 {start\|stop\|reload}"
	19	;;
	20	esac


diff --git a/data/originals/firewall.looper b/data/originals/firewall.looper new file mode 100755 index 0000000..4b9d78e --- /dev/null +++ b/data/originals/firewall.looper
@@ -0,0 +1,50 @@
	1	#!/bin/sh
	2	#
	3	# IPFire Custom Rules (icr)
	4	#
	5	# Github: https://github.com/MonkeyCat/IPFireCustomRules
	6	#
	7	# Loops over the local "rules.d/" subfolder files
	8	# Forwarding the (start/stop) command to every file
	9	# which extension is ".on". To enabled multiple
	10	# custom firewall rulesets!
	11	#
	12	# the configuration of the ipfire custom rules (ipfcr)
	13	# in the local "rules.d/*" sunfolder, is inside the
	14	# files themself!
	15	#
	16	# Use this at your OWN RISK. Not fully supported!
	17	#
	18	# License: GPL2
	19	#
	20	# icr v0.1 (c) 30 May 2022 code.monkeycat.com
	21	#
	22	# Nuff text...
	23
	24	pwd=$PWD
	25	base=${PWD%//}
	26
	27	case "$1" in
	28	start)
	29	find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
	30
	31	;;
	32	stop)
	33	find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
	34
	35	;;
	36	reload)
	37	$0 stop
	38	$0 start
	39
	40	;;
	41	flush)
	42	iptables -t nat -F CUSTOMPREROUTING
	43	iptables -t nat -F CUSTOMPOSTROUTING
	44	iptables -F CUSTOMFORWARD
	45
	46	;;
	47	*)
	48	echo "Usage: $0 {start\|stop\|reload\|flush}"
	49	;;
	50	esac


diff --git a/data/originals/firewall.original b/data/originals/firewall.original new file mode 120000 index 0000000..d6f1586 --- /dev/null +++ b/data/originals/firewall.original
@@ -0,0 +1 @@
		firewall.local.167 \ No newline at end of file


diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom new file mode 100755 index 0000000..6fcd9ef --- /dev/null +++ b/data/originals/rules.d/dns_catchall_redirect.custom
@@ -0,0 +1,132 @@
	1	#!/bin/sh
	2	#
	3	# Redirect All DNS Request Traffic To DNS Server on (Internal) Network
	4	#
	5	# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
	6	#
	7	# Use this at your OWN RISK. It is not fully supported!
	8	# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
	9	#
	10	# (c) 2022 MonkeyCat.com
	11	#
	12	# v0.9 30/May/2022
	13
	14
	15	# uncomment if you setup this dns ruleset
	16	#setup=true
	17
	18
	19
	20	if $setup
	21	then
	22	echo "Please setup your dns server ip, accepted range and if you want logging!"
	23	echo "inside dns_catchall_redirect.* file"
	24	exit
	25	fi
	26
	27	# Our dns server target
	28	SERVER="10.0.80.2"
	29
	30	# double negation :-) see rule (!)
	31	ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
	32
	33	LOGGING=true
	34
	35
	36
	37	# logging prefix
	38	PREFIX="DNS"
	39	PORT=53
	40
	41	case "$1" in
	42	start)
	43	## add your 'start' rules here
	44
	45	# dns logging
	46	if $LOGGING
	47	then
	48	echo "$PREFIX Logging Enabled ($SERVER)"
	49	# udp
	50	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
	51	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
	52	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
	53	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
	54	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
	55	# tcp
	56	iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
	57	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
	58	iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
	59	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
	60	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
	61	fi
	62
	63	# dns
	64	echo "$PREFIX Catch All Enabled ($SERVER)"
	65	# udp
	66	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	67	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	68	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	69	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	70	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	71	# tcp
	72	iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
	73	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
	74	iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
	75	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
	76	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
	77
	78	;;
	79	stop)
	80	## add your 'stop' rules here
	81
	82
	83	# dns logging
	84	if $LOGGING
	85	then
	86	echo $PREFIX Logging Disabled ($SERVER)"
	87	# udp
	88	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
	89	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
	90	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
	91	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
	92	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
	93	# tcp
	94	iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
	95	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
	96	iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
	97	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
	98	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
	99	fi
	100
	101	# dns
	102	echo $PREFIX Catch All Disabled ($SERVER)"
	103	# udp
	104	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	105	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	106	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	107	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	108	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	109	# tcp
	110	iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
	111	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
	112	iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
	113	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
	114	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
	115
	116	;;
	117	reload)
	118	$0 stop
	119	$0 start
	120	## add your 'reload' rules here
	121
	122	;;
	123	flush)
	124	iptables -t nat -F CUSTOMPREROUTING
	125	iptables -t nat -F CUSTOMPOSTROUTING
	126	iptables -F CUSTOMFORWARD
	127
	128	;;
	129	*)
	130	echo "Usage: $0 {start\|stop\|reload\|flush}"
	131	;;
	132	esac


diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/data/originals/rules.d/ntp_catchall_redirect.custom
@@ -0,0 +1,100 @@
	1	#!/bin/sh
	2	#
	3	# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network
	4	#
	5	# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
	6	#
	7	# Use this at your OWN RISK. It is not fully supported!
	8	# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
	9	#
	10	# (c) 2022 MonkeyCat.com
	11	#
	12	# v1.0a 30/May/2022
	13
	14
	15	# uncomment if you setup this ntp ruleset
	16	#setup=true
	17
	18
	19
	20	if $setup
	21	then
	22	echo "Please setup your time server ip, accepted range and if you want logging!"
	23	echo "inside "ntp_catchall_redirect.* file"
	24	exit
	25	fi
	26
	27	# Our timer server target
	28	SERVER="10.0.0.5"
	29
	30	# double negation :-) see rule (!)
	31	ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
	32
	33	LOGGING=false
	34
	35
	36
	37	# logging prefix
	38	PREFIX="NTP"
	39	PORT=123
	40
	41	case "$1" in
	42	start)
	43	# ntp logging
	44	if $LOGGING
	45	then
	46	echo "$PREFIX Logging Enabled ($SERVER)"
	47	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
	48	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
	49	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
	50	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
	51	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
	52	fi
	53
	54	# ntp
	55	echo "$PREFIX Catch All Enabled ($SERVER)"
	56	iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	57	iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	58
	59	iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	60	iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	61	iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	62
	63	;;
	64	stop)
	65	# ntp logging
	66	if $LOGGING
	67	then
	68	echo "$PREFIX Logging Disabled ($SERVER)"
	69	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
	70	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
	71	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
	72	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
	73	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
	74	fi
	75
	76	# ntp
	77	echo "$PREFIX Catch All Disabled ($SERVER)"
	78	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
	79	iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
	80	iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
	81	iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
	82	iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
	83
	84	;;
	85	reload)
	86	$0 stop
	87	$0 start
	88	## add your 'reload' rules here
	89
	90	;;
	91	flush)
	92	iptables -t nat -F CUSTOMPREROUTING
	93	iptables -t nat -F CUSTOMPOSTROUTING
	94	iptables -F CUSTOMFORWARD
	95
	96	;;
	97	*)
	98	echo "Usage: $0 {start\|stop\|reload\|flush}"
	99	;;
	100	esac