From 6891a04373daa365c35828ce71e047f5f14486e4 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 30 May 2022 15:59:54 +0200 Subject: Beta2: DNS & NTP Redirect To Exernal Working! --- .../firewall.2022_05_30_03_41_PM_1653918107.local | 20 ++++ .../firewall.2022_05_30_03_42_PM_1653918123.local | 20 ++++ .../firewall.2022_05_30_03_42_PM_1653918145.local | 20 ++++ .../firewall.2022_05_30_03_46_PM_1653918417.local | 50 ++++++++ .../firewall.2022_05_30_03_47_PM_1653918430.local | 20 ++++ data/originals/firewall.local.167 | 20 ++++ data/originals/firewall.looper | 50 ++++++++ data/originals/firewall.original | 1 + .../originals/rules.d/dns_catchall_redirect.custom | 132 +++++++++++++++++++++ .../originals/rules.d/ntp_catchall_redirect.custom | 100 ++++++++++++++++ data/run/firewall.local | 50 ++++++++ install | 28 +++++ renew | 2 + rules.d/dns_catchall_redirect.on | 132 +++++++++++++++++++++ rules.d/ntp_catchall_redirect.on | 100 ++++++++++++++++ uninstall | 21 ++++ 16 files changed, 766 insertions(+) create mode 100644 data/backups/firewall.2022_05_30_03_41_PM_1653918107.local create mode 100644 data/backups/firewall.2022_05_30_03_42_PM_1653918123.local create mode 100644 data/backups/firewall.2022_05_30_03_42_PM_1653918145.local create mode 100755 data/backups/firewall.2022_05_30_03_46_PM_1653918417.local create mode 100644 data/backups/firewall.2022_05_30_03_47_PM_1653918430.local create mode 100644 data/originals/firewall.local.167 create mode 100755 data/originals/firewall.looper create mode 120000 data/originals/firewall.original create mode 100755 data/originals/rules.d/dns_catchall_redirect.custom create mode 100755 data/originals/rules.d/ntp_catchall_redirect.custom create mode 100755 data/run/firewall.local create mode 100755 install create mode 100755 renew create mode 100755 rules.d/dns_catchall_redirect.on create mode 100755 rules.d/ntp_catchall_redirect.on create mode 100755 uninstall diff --git a/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local b/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_41_PM_1653918107.local @@ -0,0 +1,20 @@ +#!/bin/sh +# Used for private firewall rules + +# See how we were called. +case "$1" in + start) + ## add your 'start' rules here + ;; + stop) + ## add your 'stop' rules here + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + ;; + *) + echo "Usage: $0 {start|stop|reload}" + ;; +esac diff --git a/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local b/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_42_PM_1653918123.local @@ -0,0 +1,20 @@ +#!/bin/sh +# Used for private firewall rules + +# See how we were called. +case "$1" in + start) + ## add your 'start' rules here + ;; + stop) + ## add your 'stop' rules here + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + ;; + *) + echo "Usage: $0 {start|stop|reload}" + ;; +esac diff --git a/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local b/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_42_PM_1653918145.local @@ -0,0 +1,20 @@ +#!/bin/sh +# Used for private firewall rules + +# See how we were called. +case "$1" in + start) + ## add your 'start' rules here + ;; + stop) + ## add your 'stop' rules here + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + ;; + *) + echo "Usage: $0 {start|stop|reload}" + ;; +esac diff --git a/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local b/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local new file mode 100755 index 0000000..273dab3 --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_46_PM_1653918417.local @@ -0,0 +1,50 @@ +#!/bin/sh +# +# IPFire Custom Firewall (icf) +# +# Github: https://github.com/Mnkey +# +# Loops over the local "rules.d/" subfolder files +# Forwarding the (start/stop) command to every file +# which extension is ".on". To enabled multiple +# custom firewall rulesets! +# +# the configuration of the ipfire custom rules (ipfcr) +# in the local "rules.d/*" sunfolder, is inside the +# files themself! +# +# Use this at your OWN RISK. Not fully supported! +# +# License: GPL2 +# +# icf v0.1 (c) 30 May 2022 code.monkeycat.com +# +# Nuff text... + +pwd=$PWD +base=${PWD%/*/*} + +case "$1" in + start) + find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; + + ;; + stop) + find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; + + ;; + reload) + $0 stop + $0 start + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local b/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/backups/firewall.2022_05_30_03_47_PM_1653918430.local @@ -0,0 +1,20 @@ +#!/bin/sh +# Used for private firewall rules + +# See how we were called. +case "$1" in + start) + ## add your 'start' rules here + ;; + stop) + ## add your 'stop' rules here + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + ;; + *) + echo "Usage: $0 {start|stop|reload}" + ;; +esac diff --git a/data/originals/firewall.local.167 b/data/originals/firewall.local.167 new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/originals/firewall.local.167 @@ -0,0 +1,20 @@ +#!/bin/sh +# Used for private firewall rules + +# See how we were called. +case "$1" in + start) + ## add your 'start' rules here + ;; + stop) + ## add your 'stop' rules here + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + ;; + *) + echo "Usage: $0 {start|stop|reload}" + ;; +esac diff --git a/data/originals/firewall.looper b/data/originals/firewall.looper new file mode 100755 index 0000000..4b9d78e --- /dev/null +++ b/data/originals/firewall.looper @@ -0,0 +1,50 @@ +#!/bin/sh +# +# IPFire Custom Rules (icr) +# +# Github: https://github.com/MonkeyCat/IPFireCustomRules +# +# Loops over the local "rules.d/" subfolder files +# Forwarding the (start/stop) command to every file +# which extension is ".on". To enabled multiple +# custom firewall rulesets! +# +# the configuration of the ipfire custom rules (ipfcr) +# in the local "rules.d/*" sunfolder, is inside the +# files themself! +# +# Use this at your OWN RISK. Not fully supported! +# +# License: GPL2 +# +# icr v0.1 (c) 30 May 2022 code.monkeycat.com +# +# Nuff text... + +pwd=$PWD +base=${PWD%/*/*} + +case "$1" in + start) + find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; + + ;; + stop) + find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; + + ;; + reload) + $0 stop + $0 start + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/data/originals/firewall.original b/data/originals/firewall.original new file mode 120000 index 0000000..d6f1586 --- /dev/null +++ b/data/originals/firewall.original @@ -0,0 +1 @@ +firewall.local.167 \ No newline at end of file diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom new file mode 100755 index 0000000..6fcd9ef --- /dev/null +++ b/data/originals/rules.d/dns_catchall_redirect.custom @@ -0,0 +1,132 @@ +#!/bin/sh +# +# Redirect All DNS Request Traffic To DNS Server on (Internal) Network +# +# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) +# +# Use this at your OWN RISK. It is not fully supported! +# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 +# +# (c) 2022 MonkeyCat.com +# +# v0.9 30/May/2022 + + +# uncomment if you setup this dns ruleset +#setup=true + + + +if $setup +then + echo "Please setup your dns server ip, accepted range and if you want logging!" + echo "inside dns_catchall_redirect.* file" + exit +fi + +# Our dns server target +SERVER="10.0.80.2" + +# double negation :-) see rule (!) +ONLY_ACCEPT_INTERNAL="10.0.0.0/8" + +LOGGING=true + + + +# logging prefix +PREFIX="DNS" +PORT=53 + +case "$1" in + start) + ## add your 'start' rules here + + # dns logging + if $LOGGING + then + echo "$PREFIX Logging Enabled ($SERVER)" + # udp + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + # tcp + iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + fi + + # dns + echo "$PREFIX Catch All Enabled ($SERVER)" + # udp + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + # tcp + iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP + iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + stop) + ## add your 'stop' rules here + + + # dns logging + if $LOGGING + then + echo $PREFIX Logging Disabled ($SERVER)" + # udp + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + # tcp + iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + fi + + # dns + echo $PREFIX Catch All Disabled ($SERVER)" + # udp + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + # tcp + iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/data/originals/rules.d/ntp_catchall_redirect.custom @@ -0,0 +1,100 @@ +#!/bin/sh +# +# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network +# +# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) +# +# Use this at your OWN RISK. It is not fully supported! +# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 +# +# (c) 2022 MonkeyCat.com +# +# v1.0a 30/May/2022 + + +# uncomment if you setup this ntp ruleset +#setup=true + + + +if $setup +then + echo "Please setup your time server ip, accepted range and if you want logging!" + echo "inside "ntp_catchall_redirect.* file" + exit +fi + +# Our timer server target +SERVER="10.0.0.5" + +# double negation :-) see rule (!) +ONLY_ACCEPT_INTERNAL="10.0.0.0/8" + +LOGGING=false + + + +# logging prefix +PREFIX="NTP" +PORT=123 + +case "$1" in + start) + # ntp logging + if $LOGGING + then + echo "$PREFIX Logging Enabled ($SERVER)" + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " + fi + + # ntp + echo "$PREFIX Catch All Enabled ($SERVER)" + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + stop) + # ntp logging + if $LOGGING + then + echo "$PREFIX Logging Disabled ($SERVER)" + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " + fi + + # ntp + echo "$PREFIX Catch All Disabled ($SERVER)" + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/data/run/firewall.local b/data/run/firewall.local new file mode 100755 index 0000000..4b9d78e --- /dev/null +++ b/data/run/firewall.local @@ -0,0 +1,50 @@ +#!/bin/sh +# +# IPFire Custom Rules (icr) +# +# Github: https://github.com/MonkeyCat/IPFireCustomRules +# +# Loops over the local "rules.d/" subfolder files +# Forwarding the (start/stop) command to every file +# which extension is ".on". To enabled multiple +# custom firewall rulesets! +# +# the configuration of the ipfire custom rules (ipfcr) +# in the local "rules.d/*" sunfolder, is inside the +# files themself! +# +# Use this at your OWN RISK. Not fully supported! +# +# License: GPL2 +# +# icr v0.1 (c) 30 May 2022 code.monkeycat.com +# +# Nuff text... + +pwd=$PWD +base=${PWD%/*/*} + +case "$1" in + start) + find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; + + ;; + stop) + find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; + + ;; + reload) + $0 stop + $0 start + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/install b/install new file mode 100755 index 0000000..d16dbfa --- /dev/null +++ b/install @@ -0,0 +1,28 @@ +#!/bin/sh + +# backup... tjust in case... +echo "Backup of firewall.local -> $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local" +mkdir -p $PWD/data/backups +cp /etc/sysconfig/firewall.local $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local + +# Another backup! +echo "Backup of firewall.local -> firewall.local.old" +cp -PL /etc/sysconfig/firewall.local /etc/sysconfig/firewall.local.old + +# iterator + +if [[ ! -L "/etc/sysconfig/firewall.local" ]] ; then + echo "Linking IPFire Custom Firewall Rules Looper" + echo "Installing $PWD/data/executable/firewall.local -> /etc/sysconfig/firewall.local" + rm /etc/sysconfig/firewall.local + cp $PWD/data/originals/firewall.looper $PWD/data/run/firewall.local + ln -s $PWD/data/run/firewall.local /etc/sysconfig/firewall.local +fi + +# rules! + +if [[ ! -L "/etc/sysconfig/rules.d" ]] ; then + echo "Linking IPFire Custom Firewall Rules" + echo "Installing $PWD/rules.d/ -> /etc/sysconfig/rules.d" + ln -s $PWD/rules.d /etc/sysconfig/rules.d +fi diff --git a/renew b/renew new file mode 100755 index 0000000..28282f2 --- /dev/null +++ b/renew @@ -0,0 +1,2 @@ +#!/bin/sh +/etc/init.d/firewall reload diff --git a/rules.d/dns_catchall_redirect.on b/rules.d/dns_catchall_redirect.on new file mode 100755 index 0000000..6fcd9ef --- /dev/null +++ b/rules.d/dns_catchall_redirect.on @@ -0,0 +1,132 @@ +#!/bin/sh +# +# Redirect All DNS Request Traffic To DNS Server on (Internal) Network +# +# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) +# +# Use this at your OWN RISK. It is not fully supported! +# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 +# +# (c) 2022 MonkeyCat.com +# +# v0.9 30/May/2022 + + +# uncomment if you setup this dns ruleset +#setup=true + + + +if $setup +then + echo "Please setup your dns server ip, accepted range and if you want logging!" + echo "inside dns_catchall_redirect.* file" + exit +fi + +# Our dns server target +SERVER="10.0.80.2" + +# double negation :-) see rule (!) +ONLY_ACCEPT_INTERNAL="10.0.0.0/8" + +LOGGING=true + + + +# logging prefix +PREFIX="DNS" +PORT=53 + +case "$1" in + start) + ## add your 'start' rules here + + # dns logging + if $LOGGING + then + echo "$PREFIX Logging Enabled ($SERVER)" + # udp + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + # tcp + iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + fi + + # dns + echo "$PREFIX Catch All Enabled ($SERVER)" + # udp + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + # tcp + iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP + iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + stop) + ## add your 'stop' rules here + + + # dns logging + if $LOGGING + then + echo $PREFIX Logging Disabled ($SERVER)" + # udp + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + # tcp + iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + fi + + # dns + echo $PREFIX Catch All Disabled ($SERVER)" + # udp + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + # tcp + iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/rules.d/ntp_catchall_redirect.on b/rules.d/ntp_catchall_redirect.on new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/rules.d/ntp_catchall_redirect.on @@ -0,0 +1,100 @@ +#!/bin/sh +# +# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network +# +# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) +# +# Use this at your OWN RISK. It is not fully supported! +# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 +# +# (c) 2022 MonkeyCat.com +# +# v1.0a 30/May/2022 + + +# uncomment if you setup this ntp ruleset +#setup=true + + + +if $setup +then + echo "Please setup your time server ip, accepted range and if you want logging!" + echo "inside "ntp_catchall_redirect.* file" + exit +fi + +# Our timer server target +SERVER="10.0.0.5" + +# double negation :-) see rule (!) +ONLY_ACCEPT_INTERNAL="10.0.0.0/8" + +LOGGING=false + + + +# logging prefix +PREFIX="NTP" +PORT=123 + +case "$1" in + start) + # ntp logging + if $LOGGING + then + echo "$PREFIX Logging Enabled ($SERVER)" + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " + fi + + # ntp + echo "$PREFIX Catch All Enabled ($SERVER)" + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + stop) + # ntp logging + if $LOGGING + then + echo "$PREFIX Logging Disabled ($SERVER)" + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " + fi + + # ntp + echo "$PREFIX Catch All Disabled ($SERVER)" + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/uninstall b/uninstall new file mode 100755 index 0000000..121a753 --- /dev/null +++ b/uninstall @@ -0,0 +1,21 @@ +#!/bin/sh + +# backup... tjust in case... +echo "Backup of firewall.local -> $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local" +mkdir -p $PWD/data/backups +cp /etc/sysconfig/firewall.local $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local + +# Another backup! +echo "Backup of firewall.local -> firewall.local.old" +cp -PL /etc/sysconfig/firewall.local /etc/sysconfig/firewall.local.old +rm /etc/sysconfig/firewall.local + +# Removing rules symbolic link +echo "Removing IPFire Custom Firewall Rules" +if [[ -L "/etc/sysconfig/rules.d" ]] ; then + rm /etc/sysconfig/rules.d +fi + +echo "Removing IPFire Custom Firewall Rules Looper" +echo "Restore of $PWD/data/originals/firewall.original /etc/sysconfig/firewall.local" +cp $PWD/data/originals/firewall.original /etc/sysconfig/firewall.local -- cgit v1.2.3