blob: 6fcd9ef32fe3d716466ecc9e4b115fcfb5c083c7 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#!/bin/sh
#
# Redirect All DNS Request Traffic To DNS Server on (Internal) Network
#
# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
#
# Use this at your OWN RISK. It is not fully supported!
# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
#
# (c) 2022 MonkeyCat.com
#
# v0.9 30/May/2022
# uncomment if you setup this dns ruleset
#setup=true
if $setup
then
echo "Please setup your dns server ip, accepted range and if you want logging!"
echo "inside dns_catchall_redirect.* file"
exit
fi
# Our dns server target
SERVER="10.0.80.2"
# double negation :-) see rule (!)
ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
LOGGING=true
# logging prefix
PREFIX="DNS"
PORT=53
case "$1" in
start)
## add your 'start' rules here
# dns logging
if $LOGGING
then
echo "$PREFIX Logging Enabled ($SERVER)"
# udp
iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
# tcp
iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
fi
# dns
echo "$PREFIX Catch All Enabled ($SERVER)"
# udp
iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
# tcp
iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
;;
stop)
## add your 'stop' rules here
# dns logging
if $LOGGING
then
echo $PREFIX Logging Disabled ($SERVER)"
# udp
iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
# tcp
iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
fi
# dns
echo $PREFIX Catch All Disabled ($SERVER)"
# udp
iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
# tcp
iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
flush)
iptables -t nat -F CUSTOMPREROUTING
iptables -t nat -F CUSTOMPOSTROUTING
iptables -F CUSTOMFORWARD
;;
*)
echo "Usage: $0 {start|stop|reload|flush}"
;;
esac
|