From 6891a04373daa365c35828ce71e047f5f14486e4 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 30 May 2022 15:59:54 +0200 Subject: Beta2: DNS & NTP Redirect To Exernal Working! --- data/originals/firewall.local.167 | 20 ++++ data/originals/firewall.looper | 50 ++++++++ data/originals/firewall.original | 1 + .../originals/rules.d/dns_catchall_redirect.custom | 132 +++++++++++++++++++++ .../originals/rules.d/ntp_catchall_redirect.custom | 100 ++++++++++++++++ 5 files changed, 303 insertions(+) create mode 100644 data/originals/firewall.local.167 create mode 100755 data/originals/firewall.looper create mode 120000 data/originals/firewall.original create mode 100755 data/originals/rules.d/dns_catchall_redirect.custom create mode 100755 data/originals/rules.d/ntp_catchall_redirect.custom (limited to 'data/originals') diff --git a/data/originals/firewall.local.167 b/data/originals/firewall.local.167 new file mode 100644 index 0000000..5e4677f --- /dev/null +++ b/data/originals/firewall.local.167 @@ -0,0 +1,20 @@ +#!/bin/sh +# Used for private firewall rules + +# See how we were called. +case "$1" in + start) + ## add your 'start' rules here + ;; + stop) + ## add your 'stop' rules here + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + ;; + *) + echo "Usage: $0 {start|stop|reload}" + ;; +esac diff --git a/data/originals/firewall.looper b/data/originals/firewall.looper new file mode 100755 index 0000000..4b9d78e --- /dev/null +++ b/data/originals/firewall.looper @@ -0,0 +1,50 @@ +#!/bin/sh +# +# IPFire Custom Rules (icr) +# +# Github: https://github.com/MonkeyCat/IPFireCustomRules +# +# Loops over the local "rules.d/" subfolder files +# Forwarding the (start/stop) command to every file +# which extension is ".on". To enabled multiple +# custom firewall rulesets! +# +# the configuration of the ipfire custom rules (ipfcr) +# in the local "rules.d/*" sunfolder, is inside the +# files themself! +# +# Use this at your OWN RISK. Not fully supported! +# +# License: GPL2 +# +# icr v0.1 (c) 30 May 2022 code.monkeycat.com +# +# Nuff text... + +pwd=$PWD +base=${PWD%/*/*} + +case "$1" in + start) + find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; + + ;; + stop) + find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \; + + ;; + reload) + $0 stop + $0 start + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/data/originals/firewall.original b/data/originals/firewall.original new file mode 120000 index 0000000..d6f1586 --- /dev/null +++ b/data/originals/firewall.original @@ -0,0 +1 @@ +firewall.local.167 \ No newline at end of file diff --git a/data/originals/rules.d/dns_catchall_redirect.custom b/data/originals/rules.d/dns_catchall_redirect.custom new file mode 100755 index 0000000..6fcd9ef --- /dev/null +++ b/data/originals/rules.d/dns_catchall_redirect.custom @@ -0,0 +1,132 @@ +#!/bin/sh +# +# Redirect All DNS Request Traffic To DNS Server on (Internal) Network +# +# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) +# +# Use this at your OWN RISK. It is not fully supported! +# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 +# +# (c) 2022 MonkeyCat.com +# +# v0.9 30/May/2022 + + +# uncomment if you setup this dns ruleset +#setup=true + + + +if $setup +then + echo "Please setup your dns server ip, accepted range and if you want logging!" + echo "inside dns_catchall_redirect.* file" + exit +fi + +# Our dns server target +SERVER="10.0.80.2" + +# double negation :-) see rule (!) +ONLY_ACCEPT_INTERNAL="10.0.0.0/8" + +LOGGING=true + + + +# logging prefix +PREFIX="DNS" +PORT=53 + +case "$1" in + start) + ## add your 'start' rules here + + # dns logging + if $LOGGING + then + echo "$PREFIX Logging Enabled ($SERVER)" + # udp + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + # tcp + iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + fi + + # dns + echo "$PREFIX Catch All Enabled ($SERVER)" + # udp + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + # tcp + iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP + iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + stop) + ## add your 'stop' rules here + + + # dns logging + if $LOGGING + then + echo $PREFIX Logging Disabled ($SERVER)" + # udp + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + # tcp + iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + fi + + # dns + echo $PREFIX Catch All Disabled ($SERVER)" + # udp + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + # tcp + iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac diff --git a/data/originals/rules.d/ntp_catchall_redirect.custom b/data/originals/rules.d/ntp_catchall_redirect.custom new file mode 100755 index 0000000..0810740 --- /dev/null +++ b/data/originals/rules.d/ntp_catchall_redirect.custom @@ -0,0 +1,100 @@ +#!/bin/sh +# +# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network +# +# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) +# +# Use this at your OWN RISK. It is not fully supported! +# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 +# +# (c) 2022 MonkeyCat.com +# +# v1.0a 30/May/2022 + + +# uncomment if you setup this ntp ruleset +#setup=true + + + +if $setup +then + echo "Please setup your time server ip, accepted range and if you want logging!" + echo "inside "ntp_catchall_redirect.* file" + exit +fi + +# Our timer server target +SERVER="10.0.0.5" + +# double negation :-) see rule (!) +ONLY_ACCEPT_INTERNAL="10.0.0.0/8" + +LOGGING=false + + + +# logging prefix +PREFIX="NTP" +PORT=123 + +case "$1" in + start) + # ntp logging + if $LOGGING + then + echo "$PREFIX Logging Enabled ($SERVER)" + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " + fi + + # ntp + echo "$PREFIX Catch All Enabled ($SERVER)" + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + stop) + # ntp logging + if $LOGGING + then + echo "$PREFIX Logging Disabled ($SERVER)" + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE " + fi + + # ntp + echo "$PREFIX Catch All Disabled ($SERVER)" + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac -- cgit v1.2.3