From 6891a04373daa365c35828ce71e047f5f14486e4 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 30 May 2022 15:59:54 +0200 Subject: Beta2: DNS & NTP Redirect To Exernal Working! --- rules.d/dns_catchall_redirect.on | 132 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100755 rules.d/dns_catchall_redirect.on (limited to 'rules.d/dns_catchall_redirect.on') diff --git a/rules.d/dns_catchall_redirect.on b/rules.d/dns_catchall_redirect.on new file mode 100755 index 0000000..6fcd9ef --- /dev/null +++ b/rules.d/dns_catchall_redirect.on @@ -0,0 +1,132 @@ +#!/bin/sh +# +# Redirect All DNS Request Traffic To DNS Server on (Internal) Network +# +# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) +# +# Use this at your OWN RISK. It is not fully supported! +# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 +# +# (c) 2022 MonkeyCat.com +# +# v0.9 30/May/2022 + + +# uncomment if you setup this dns ruleset +#setup=true + + + +if $setup +then + echo "Please setup your dns server ip, accepted range and if you want logging!" + echo "inside dns_catchall_redirect.* file" + exit +fi + +# Our dns server target +SERVER="10.0.80.2" + +# double negation :-) see rule (!) +ONLY_ACCEPT_INTERNAL="10.0.0.0/8" + +LOGGING=true + + + +# logging prefix +PREFIX="DNS" +PORT=53 + +case "$1" in + start) + ## add your 'start' rules here + + # dns logging + if $LOGGING + then + echo "$PREFIX Logging Enabled ($SERVER)" + # udp + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + # tcp + iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + fi + + # dns + echo "$PREFIX Catch All Enabled ($SERVER)" + # udp + iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + # tcp + iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT + iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP + iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT + iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + stop) + ## add your 'stop' rules here + + + # dns logging + if $LOGGING + then + echo $PREFIX Logging Disabled ($SERVER)" + # udp + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + # tcp + iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " + iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " + fi + + # dns + echo $PREFIX Catch All Disabled ($SERVER)" + # udp + iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE + # tcp + iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT + iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP + iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT + iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT + iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE + + ;; + reload) + $0 stop + $0 start + ## add your 'reload' rules here + + ;; + flush) + iptables -t nat -F CUSTOMPREROUTING + iptables -t nat -F CUSTOMPOSTROUTING + iptables -F CUSTOMFORWARD + + ;; + *) + echo "Usage: $0 {start|stop|reload|flush}" + ;; +esac -- cgit v1.2.3