blob: 08107404d5bc1cc6b967cba9960504ac3d812dfb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#!/bin/sh
#
# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network
#
# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
#
# Use this at your OWN RISK. It is not fully supported!
# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
#
# (c) 2022 MonkeyCat.com
#
# v1.0a 30/May/2022
# uncomment if you setup this ntp ruleset
#setup=true
if $setup
then
echo "Please setup your time server ip, accepted range and if you want logging!"
echo "inside "ntp_catchall_redirect.* file"
exit
fi
# Our timer server target
SERVER="10.0.0.5"
# double negation :-) see rule (!)
ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
LOGGING=false
# logging prefix
PREFIX="NTP"
PORT=123
case "$1" in
start)
# ntp logging
if $LOGGING
then
echo "$PREFIX Logging Enabled ($SERVER)"
iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
fi
# ntp
echo "$PREFIX Catch All Enabled ($SERVER)"
iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
;;
stop)
# ntp logging
if $LOGGING
then
echo "$PREFIX Logging Disabled ($SERVER)"
iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
fi
# ntp
echo "$PREFIX Catch All Disabled ($SERVER)"
iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
flush)
iptables -t nat -F CUSTOMPREROUTING
iptables -t nat -F CUSTOMPOSTROUTING
iptables -F CUSTOMFORWARD
;;
*)
echo "Usage: $0 {start|stop|reload|flush}"
;;
esac
|