From 6891a04373daa365c35828ce71e047f5f14486e4 Mon Sep 17 00:00:00 2001
From: root
Date: Mon, 30 May 2022 15:59:54 +0200
Subject: Beta2: DNS & NTP Redirect To Exernal Working!

---
 data/originals/firewall.local.167                  |  20 ++++
 data/originals/firewall.looper                     |  50 ++++++++
 data/originals/firewall.original                   |   1 +
 .../originals/rules.d/dns_catchall_redirect.custom | 132 +++++++++++++++++++++
 .../originals/rules.d/ntp_catchall_redirect.custom | 100 ++++++++++++++++
 5 files changed, 303 insertions(+)
 create mode 100644 data/originals/firewall.local.167
 create mode 100755 data/originals/firewall.looper
 create mode 120000 data/originals/firewall.original
 create mode 100755 data/originals/rules.d/dns_catchall_redirect.custom
 create mode 100755 data/originals/rules.d/ntp_catchall_redirect.custom

(limited to 'data/originals')

diff --git a/data/originals/firewall.local.167 b/data/originals/firewall.local.167
new file mode 100644
index 0000000..5e4677f
--- /dev/null
+++ b/data/originals/firewall.local.167
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Used for private firewall rules
+
+# See how we were called.
+case "$1" in
+  start)
+        ## add your 'start' rules here
+        ;;
+  stop)
+        ## add your 'stop' rules here
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload}"
+        ;;
+esac
diff --git a/data/originals/firewall.looper b/data/originals/firewall.looper
new file mode 100755
index 0000000..4b9d78e
--- /dev/null
+++ b/data/originals/firewall.looper
@@ -0,0 +1,50 @@
+#!/bin/sh
+# 
+# IPFire Custom Rules (icr)
+# 
+# Github: https://github.com/MonkeyCat/IPFireCustomRules
+#
+# Loops over the local "rules.d/" subfolder files
+# Forwarding the (start/stop) command to every file
+# which extension is ".on". To enabled multiple
+# custom firewall rulesets!
+#
+# the configuration of the ipfire custom rules (ipfcr)
+# in the local "rules.d/*" sunfolder, is inside the
+# files themself! 
+#
+# Use this at your OWN RISK.  Not fully supported!
+#
+# License: GPL2 
+#
+# icr v0.1 (c) 30 May 2022 code.monkeycat.com
+#
+# Nuff text...
+
+pwd=$PWD
+base=${PWD%/*/*}
+
+case "$1" in
+  start)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+
+        ;;
+  stop)
+        find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+
+        ;;
+  reload)
+        $0 stop
+        $0 start
+
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/originals/firewall.original b/data/originals/firewall.original
new file mode 120000
index 0000000..d6f1586
--- /dev/null
+++ b/data/originals/firewall.original
@@ -0,0 +1 @@
+firewall.local.167
\ No newline at end of file
diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom
new file mode 100755
index 0000000..6fcd9ef
--- /dev/null
+++ b/data/originals/rules.d/dns_catchall_redirect.custom
@@ -0,0 +1,132 @@
+#!/bin/sh
+#
+# Redirect All DNS Request Traffic To DNS Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#	https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v0.9 30/May/2022
+
+
+# uncomment if you setup this dns ruleset
+#setup=true
+
+
+
+if $setup
+then
+    echo "Please setup your dns server ip, accepted range and if you want logging!"
+    echo "inside dns_catchall_redirect.* file"
+    exit
+fi
+
+# Our dns server target
+SERVER="10.0.80.2"
+
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+
+LOGGING=true
+
+
+
+# logging prefix            
+PREFIX="DNS"
+PORT=53
+
+case "$1" in
+  start)
+        ## add your 'start' rules here
+
+	# dns logging
+        if $LOGGING
+        then
+ 	    echo "$PREFIX Logging Enabled ($SERVER)"
+            # udp
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+            # tcp
+            iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+
+	# dns 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        # udp 
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+        # tcp
+        iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+
+        ;;
+  stop)
+        ## add your 'stop' rules here
+
+
+	# dns logging
+        if $LOGGING
+        then
+ 	    echo $PREFIX Logging Disabled ($SERVER)"
+              # udp
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+              # tcp
+            iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+        fi
+
+	# dns
+        echo $PREFIX Catch All Disabled ($SERVER)"
+          # udp
+	iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+          # tcp
+        iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom
new file mode 100755
index 0000000..0810740
--- /dev/null
+++ b/data/originals/rules.d/ntp_catchall_redirect.custom
@@ -0,0 +1,100 @@
+#!/bin/sh
+#
+# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network 
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK.  It is not fully supported!
+#       https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v1.0a 30/May/2022
+
+
+# uncomment if you setup this ntp ruleset
+#setup=true
+
+
+
+if $setup
+then
+    echo "Please setup your time server ip, accepted range and if you want logging!"
+    echo "inside "ntp_catchall_redirect.* file"
+    exit
+fi
+
+# Our timer server target
+SERVER="10.0.0.5"
+
+# double negation :-)  see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+
+LOGGING=false
+
+
+
+# logging prefix
+PREFIX="NTP"
+PORT=123
+
+case "$1" in
+  start)
+	# ntp logging
+        if $LOGGING
+        then
+ 	    echo "$PREFIX Logging Enabled ($SERVER)"
+            iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+
+	# ntp 
+        echo "$PREFIX Catch All Enabled ($SERVER)"
+        iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+
+        iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -A CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+
+        ;;
+  stop)
+	# ntp logging
+        if $LOGGING
+        then
+ 	    echo "$PREFIX Logging Disabled ($SERVER)"
+            iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+            iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+            iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+            iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+            iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+        fi
+
+	# ntp 
+        echo "$PREFIX Catch All Disabled ($SERVER)"
+        iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+        iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+        iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+        iptables -t nat -D CUSTOMPREROUTING  ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+        iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+
+        ;;
+  reload)
+        $0 stop
+        $0 start
+        ## add your 'reload' rules here
+
+        ;;
+   flush)
+        iptables -t nat -F CUSTOMPREROUTING
+        iptables -t nat -F CUSTOMPOSTROUTING
+        iptables -F CUSTOMFORWARD
+
+        ;;
+  *)
+        echo "Usage: $0 {start|stop|reload|flush}"
+        ;;
+esac
-- 
cgit v1.2.3