From 6891a04373daa365c35828ce71e047f5f14486e4 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 30 May 2022 15:59:54 +0200 Subject: Beta2: DNS & NTP Redirect To Exernal Working! --- .../originals/rules.d/ntp_catchall_redirect.custom | 100 +++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100755 data/originals/rules.d/ntp_catchall_redirect.custom (limited to 'data/originals/rules.d/ntp_catchall_redirect.custom') diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/data/originals/rules.d/ntp_catchall_redirect.custom @@ -0,0 +1,100 @@ +#!/bin/sh +# +# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network +# +# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) +# +# Use this at your OWN RISK. It is not fully supported! +# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 +# +# (c) 2022 MonkeyCat.com +# +# v1.0a 30/May/2022 + + +# uncomment if you setup this ntp ruleset +#setup=true + + + +if $setup +then + echo "Please setup your time server ip, accepted range and if you want logging!" + echo "inside "ntp_catchall_redirect.* file" + exit +fi + +# Our timer server target +SERVER="10.0.0.5" + +# double negation :-) see rule (!) +ONLY_ACCEPT_INTERNAL="10.0.0.0/8" + +LOGGING=false + + + +# logging prefix +PREFIX="NTP" +PORT=123 + +case "$1" in + start) + # ntp logging + if $LOGGING + then + echo "$PREFIX Logging Enabled ($SERVER)" + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " + fi + + # ntp + echo "$PREFIX Catch All Enabled ($SERVER)" + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + stop) + # ntp logging + if $LOGGING + then + echo "$PREFIX Logging Disabled ($SERVER)" + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " + fi + + # ntp + echo "$PREFIX Catch All Disabled ($SERVER)" + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac -- cgit v1.2.3