diff options
Diffstat (limited to 'rules.d/ntp_catchall_redirect.on')
-rwxr-xr-x | rules.d/ntp_catchall_redirect.on | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/rules.d/ntp_catchall_redirect.on b/rules.d/ntp_catchall_redirect.on new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/rules.d/ntp_catchall_redirect.on | |||
@@ -0,0 +1,100 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # Redirect All Time Servers Traffic Request To Time Server on (Internal) Network | ||
4 | # | ||
5 | # (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) | ||
6 | # | ||
7 | # Use this at your OWN RISK. It is not fully supported! | ||
8 | # https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 | ||
9 | # | ||
10 | # (c) 2022 MonkeyCat.com | ||
11 | # | ||
12 | # v1.0a 30/May/2022 | ||
13 | |||
14 | |||
15 | # uncomment if you setup this ntp ruleset | ||
16 | #setup=true | ||
17 | |||
18 | |||
19 | |||
20 | if $setup | ||
21 | then | ||
22 | echo "Please setup your time server ip, accepted range and if you want logging!" | ||
23 | echo "inside "ntp_catchall_redirect.* file" | ||
24 | exit | ||
25 | fi | ||
26 | |||
27 | # Our timer server target | ||
28 | SERVER="10.0.0.5" | ||
29 | |||
30 | # double negation :-) see rule (!) | ||
31 | ONLY_ACCEPT_INTERNAL="10.0.0.0/8" | ||
32 | |||
33 | LOGGING=false | ||
34 | |||
35 | |||
36 | |||
37 | # logging prefix | ||
38 | PREFIX="NTP" | ||
39 | PORT=123 | ||
40 | |||
41 | case "$1" in | ||
42 | start) | ||
43 | # ntp logging | ||
44 | if $LOGGING | ||
45 | then | ||
46 | echo "$PREFIX Logging Enabled ($SERVER)" | ||
47 | iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " | ||
48 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " | ||
49 | iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " | ||
50 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " | ||
51 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " | ||
52 | fi | ||
53 | |||
54 | # ntp | ||
55 | echo "$PREFIX Catch All Enabled ($SERVER)" | ||
56 | iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT | ||
57 | iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP | ||
58 | |||
59 | iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT | ||
60 | iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
61 | iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE | ||
62 | |||
63 | ;; | ||
64 | stop) | ||
65 | # ntp logging | ||
66 | if $LOGGING | ||
67 | then | ||
68 | echo "$PREFIX Logging Disabled ($SERVER)" | ||
69 | iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " | ||
70 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " | ||
71 | iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " | ||
72 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " | ||
73 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " | ||
74 | fi | ||
75 | |||
76 | # ntp | ||
77 | echo "$PREFIX Catch All Disabled ($SERVER)" | ||
78 | iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT | ||
79 | iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP | ||
80 | iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT | ||
81 | iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT | ||
82 | iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE | ||
83 | |||
84 | ;; | ||
85 | reload) | ||
86 | $0 stop | ||
87 | $0 start | ||
88 | ## add your 'reload' rules here | ||
89 | |||
90 | ;; | ||
91 | flush) | ||
92 | iptables -t nat -F CUSTOMPREROUTING | ||
93 | iptables -t nat -F CUSTOMPOSTROUTING | ||
94 | iptables -F CUSTOMFORWARD | ||
95 | |||
96 | ;; | ||
97 | *) | ||
98 | echo "Usage: $0 {start|stop|reload|flush}" | ||
99 | ;; | ||
100 | esac | ||