[2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue'
Commit Message
I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them
just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list.
I hope, I got the right place.
Short background:
- To avoid creating duplicate rule entries, I used code like 'if !
iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the
existence of a rule").
This was done because I wanted to be absolutely sure that a specific
rule would only be created if it doesn't already exist. To reduce
output noise I added '>/dev/null 2>&1', where it seemed necessary.
Results:
If I delete just *one* rule manually, only the missing rule will be
created, I found no duplicates. ON/OFF switches worked as expected.
ToDo:
Adding the default settings (all OFF) during install ('update.sh') to
'/var/ipfire/optionsfw/settings'.
Restart using Web-GUI with 'Save and Restart' button. By now, restart
is only possible through only console.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++
1 file changed, 71 insertions(+)
Comments
Hi,
at a first glance this patch seems to be okay.
We should include in the announcement of the core update containing this patch a remark, that a possible work-around in firewall.local according the community article must be removed. Otherwise the system contains the REDIRECT rules twice. This would result in firewall, where these REDIRECTS cannot be switched off as supposed by the .cgi
Regards,
Bernhard
> Gesendet: Samstag, 28. November 2020 um 15:03 Uhr
> Von: "Matthias Fischer" <matthias.fischer@ipfire.org>
> An: development@lists.ipfire.org
> Betreff: [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue'
>
> I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them
> just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list.
> I hope, I got the right place.
>
> Short background:
> - To avoid creating duplicate rule entries, I used code like 'if !
> iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the
> existence of a rule").
> This was done because I wanted to be absolutely sure that a specific
> rule would only be created if it doesn't already exist. To reduce
> output noise I added '>/dev/null 2>&1', where it seemed necessary.
>
> Results:
> If I delete just *one* rule manually, only the missing rule will be
> created, I found no duplicates. ON/OFF switches worked as expected.
>
> ToDo:
> Adding the default settings (all OFF) during install ('update.sh') to
> '/var/ipfire/optionsfw/settings'.
> Restart using Web-GUI with 'Save and Restart' button. By now, restart
> is only possible through only console.
>
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
> src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++
> 1 file changed, 71 insertions(+)
>
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 65f1c979b..4e02bd3d9 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -246,6 +246,77 @@ iptables_init() {
> iptables -A ${i} -j CAPTIVE_PORTAL
> done
>
> +# Force DNS REDIRECT on GREEN (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
> + fi
> +
> + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
> + fi
> +
> +else
> +
> + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
> + fi
> +
> + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
> + fi
> +fi
> +
> +# Force DNS REDIRECT on BLUE (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
> + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT
> + fi
> +
> + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
> + fi
> +
> +else
> +
> + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
> + fi
> +
> + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
> + fi
> +
> +fi
> +
> +# Force NTP REDIRECT on GREEN (udp, 123)
> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
> + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
> + fi
> +
> +else
> +
> + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
> + fi
> +
> +fi
> +
> +# Force DNS REDIRECT on BLUE (udp, 123)
> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
> + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT
> + fi
> +
> +else
> +
> + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
> + fi
> +
> +fi
> +
> # Accept everything connected
> for i in INPUT FORWARD OUTPUT; do
> iptables -A ${i} -j CONNTRACK
> --
> 2.18.0
>
>
@@ -246,6 +246,77 @@ iptables_init() {
iptables -A ${i} -j CAPTIVE_PORTAL
done
+# Force DNS REDIRECT on GREEN (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
+ if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
+ fi
+
+ if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
+ fi
+
+else
+
+ if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
+ fi
+
+ if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
+ fi
+fi
+
+# Force DNS REDIRECT on BLUE (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
+ if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT
+ fi
+
+ if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
+ fi
+
+else
+
+ if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
+ fi
+
+ if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
+ fi
+
+fi
+
+# Force NTP REDIRECT on GREEN (udp, 123)
+if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
+ if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
+ fi
+
+else
+
+ if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
+ fi
+
+fi
+
+# Force DNS REDIRECT on BLUE (udp, 123)
+if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
+ if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT
+ fi
+
+else
+
+ if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+ iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
+ fi
+
+fi
+
# Accept everything connected
for i in INPUT FORWARD OUTPUT; do
iptables -A ${i} -j CONNTRACK