diff mbox series

[2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue'

Message ID 20201128140353.3168-2-matthias.fischer@ipfire.org
State Superseded
Headers
Series [1/3] optionsfw.cgi: Modified for 'forcing dns on green/blue' |

Commit Message

Matthias Fischer Nov. 28, 2020, 2:03 p.m. UTC 
  I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them
just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list.
I hope, I got the right place.

Short background:
- To avoid creating duplicate rule entries, I used code like 'if !
  iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the
  existence of a rule").
  This was done because I wanted to be absolutely  sure that a specific
  rule would only be created if it doesn't already exist. To reduce
  output noise I added '>/dev/null 2>&1', where it seemed necessary.

Results:
  If I delete just *one* rule manually, only the missing rule will be
  created, I found no duplicates. ON/OFF switches worked as expected.

ToDo:
  Adding the default settings (all OFF) during install ('update.sh') to
  '/var/ipfire/optionsfw/settings'.
  Restart using Web-GUI with 'Save and Restart' button. By now, restart
  is only possible through only console.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

Comments

Bernhard Bitsch Nov. 29, 2020, 8:22 p.m. UTC | #1 
Hi,

at a first glance this patch seems to be okay.

We should include in the announcement of the core update containing this patch a remark, that a possible work-around in firewall.local according the community article must be removed. Otherwise the system contains the REDIRECT rules twice. This would result in firewall, where these REDIRECTS cannot be switched off as supposed by the .cgi

Regards,
Bernhard

> Gesendet: Samstag, 28. November 2020 um 15:03 Uhr
> Von: "Matthias Fischer" <matthias.fischer@ipfire.org>
> An: development@lists.ipfire.org
> Betreff: [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue'
>
> I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them
> just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list.
> I hope, I got the right place.
>
> Short background:
> - To avoid creating duplicate rule entries, I used code like 'if !
>   iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the
>   existence of a rule").
>   This was done because I wanted to be absolutely  sure that a specific
>   rule would only be created if it doesn't already exist. To reduce
>   output noise I added '>/dev/null 2>&1', where it seemed necessary.
>
> Results:
>   If I delete just *one* rule manually, only the missing rule will be
>   created, I found no duplicates. ON/OFF switches worked as expected.
>
> ToDo:
>   Adding the default settings (all OFF) during install ('update.sh') to
>   '/var/ipfire/optionsfw/settings'.
>   Restart using Web-GUI with 'Save and Restart' button. By now, restart
>   is only possible through only console.
>
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
>  src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++
>  1 file changed, 71 insertions(+)
>
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 65f1c979b..4e02bd3d9 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -246,6 +246,77 @@ iptables_init() {
>  		iptables -A ${i} -j CAPTIVE_PORTAL
>  	done
>
> +# Force DNS REDIRECT on GREEN (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
> +	fi
> +
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
> +	fi
> +fi
> +
> +# Force DNS REDIRECT on BLUE (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT
> +	fi
> +
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
> +# Force NTP REDIRECT on GREEN (udp, 123)
> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
> +# Force DNS REDIRECT on BLUE (udp, 123)
> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
>  	# Accept everything connected
>  	for i in INPUT FORWARD OUTPUT; do
>  		iptables -A ${i} -j CONNTRACK
> --
> 2.18.0
>
>
diff mbox series

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 65f1c979b..4e02bd3d9 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -246,6 +246,77 @@  iptables_init() {
 		iptables -A ${i} -j CAPTIVE_PORTAL
 	done
 
+# Force DNS REDIRECT on GREEN (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
+	fi
+
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
+	fi
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
+	fi
+fi
+
+# Force DNS REDIRECT on BLUE (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT
+	fi
+
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
+	fi
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
+# Force NTP REDIRECT on GREEN (udp, 123)
+if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
+# Force DNS REDIRECT on BLUE (udp, 123)
+if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
 	# Accept everything connected
 	for i in INPUT FORWARD OUTPUT; do
 		iptables -A ${i} -j CONNTRACK