#!/bin/sh # # Redirect All DNS Request Traffic To DNS Server on (Internal) Network # # (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512) # # Use this at your OWN RISK. It is not fully supported! # https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2 # # (c) 2022 MonkeyCat.com # # v0.9 30/May/2022 # uncomment if you setup this dns ruleset #setup=true if $setup then echo "Please setup your dns server ip, accepted range and if you want logging!" echo "inside dns_catchall_redirect.* file" exit fi # Our dns server target SERVER="10.0.80.2" # double negation :-) see rule (!) ONLY_ACCEPT_INTERNAL="10.0.0.0/8" LOGGING=true # logging prefix PREFIX="DNS" PORT=53 case "$1" in start) ## add your 'start' rules here # dns logging if $LOGGING then echo "$PREFIX Logging Enabled ($SERVER)" # udp iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " # tcp iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " fi # dns echo "$PREFIX Catch All Enabled ($SERVER)" # udp iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE # tcp iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE ;; stop) ## add your 'stop' rules here # dns logging if $LOGGING then echo $PREFIX Logging Disabled ($SERVER)" # udp iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " # tcp iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE " iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL " iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL " iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE " iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE " fi # dns echo $PREFIX Catch All Disabled ($SERVER)" # udp iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE # tcp iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE ;; reload) $0 stop $0 start ## add your 'reload' rules here ;; flush) iptables -t nat -F CUSTOMPREROUTING iptables -t nat -F CUSTOMPOSTROUTING iptables -F CUSTOMFORWARD ;; *) echo "Usage: $0 {start|stop|reload|flush}" ;; esac