diff options
Diffstat (limited to 'rules.d/dns_catchall_redirect.on')
-rwxr-xr-x | rules.d/dns_catchall_redirect.on | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/rules.d/dns_catchall_redirect.on b/rules.d/dns_catchall_redirect.on new file mode 100755 index 0000000..6fcd9ef --- /dev/null +++ b/rules.d/dns_catchall_redirect.on | |||
@@ -0,0 +1,132 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # Redirect All DNS Request Traffic To DNS Server on (Internal) Network | ||
4 | # | ||
5 | # (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) | ||
6 | # | ||
7 | # Use this at your OWN RISK. It is not fully supported! | ||
8 | # https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 | ||
9 | # | ||
10 | # (c) 2022 MonkeyCat.com | ||
11 | # | ||
12 | # v0.9 30/May/2022 | ||
13 | |||
14 | |||
15 | # uncomment if you setup this dns ruleset | ||
16 | #setup=true | ||
17 | |||
18 | |||
19 | |||
20 | if $setup | ||
21 | then | ||
22 | echo "Please setup your dns server ip, accepted range and if you want logging!" | ||
23 | echo "inside dns_catchall_redirect.* file" | ||
24 | exit | ||
25 | fi | ||
26 | |||
27 | # Our dns server target | ||
28 | SERVER="10.0.80.2" | ||
29 | |||
30 | # double negation :-) see rule (!) | ||
31 | ONLY_ACCEPT_INTERNAL="10.0.0.0/8" | ||
32 | |||
33 | LOGGING=true | ||
34 | |||
35 | |||
36 | |||
37 | # logging prefix | ||
38 | PREFIX="DNS" | ||
39 | PORT=53 | ||
40 | |||
41 | case "$1" in | ||
42 | start) | ||
43 | ## add your 'start' rules here | ||
44 | |||
45 | # dns logging | ||
46 | if $LOGGING | ||
47 | then | ||
48 | echo "$PREFIX Logging Enabled ($SERVER)" | ||
49 | # udp | ||
50 | iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " | ||
51 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " | ||
52 | iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " | ||
53 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " | ||
54 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " | ||
55 | # tcp | ||
56 | iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " | ||
57 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " | ||
58 | iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " | ||
59 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " | ||
60 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " | ||
61 | fi | ||
62 | |||
63 | # dns | ||
64 | echo "$PREFIX Catch All Enabled ($SERVER)" | ||
65 | # udp | ||
66 | iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT | ||
67 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP | ||
68 | iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT | ||
69 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
70 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE | ||
71 | # tcp | ||
72 | iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT | ||
73 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP | ||
74 | iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT | ||
75 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
76 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE | ||
77 | |||
78 | ;; | ||
79 | stop) | ||
80 | ## add your 'stop' rules here | ||
81 | |||
82 | |||
83 | # dns logging | ||
84 | if $LOGGING | ||
85 | then | ||
86 | echo $PREFIX Logging Disabled ($SERVER)" | ||
87 | # udp | ||
88 | iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " | ||
89 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " | ||
90 | iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " | ||
91 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " | ||
92 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " | ||
93 | # tcp | ||
94 | iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " | ||
95 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " | ||
96 | iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " | ||
97 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " | ||
98 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " | ||
99 | fi | ||
100 | |||
101 | # dns | ||
102 | echo $PREFIX Catch All Disabled ($SERVER)" | ||
103 | # udp | ||
104 | iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT | ||
105 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP | ||
106 | iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT | ||
107 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
108 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE | ||
109 | # tcp | ||
110 | iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT | ||
111 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP | ||
112 | iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT | ||
113 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
114 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE | ||
115 | |||
116 | ;; | ||
117 | reload) | ||
118 | $0 stop | ||
119 | $0 start | ||
120 | ## add your 'reload' rules here | ||
121 | |||
122 | ;; | ||
123 | flush) | ||
124 | iptables -t nat -F CUSTOMPREROUTING | ||
125 | iptables -t nat -F CUSTOMPOSTROUTING | ||
126 | iptables -F CUSTOMFORWARD | ||
127 | |||
128 | ;; | ||
129 | *) | ||
130 | echo "Usage: $0 {start|stop|reload|flush}" | ||
131 | ;; | ||
132 | esac | ||