From patchwork Sat Nov 28 14:03:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 3685 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CjtX62dNLz3wqk for ; Sat, 28 Nov 2020 14:04:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CjtX41Fhwz1cG; Sat, 28 Nov 2020 14:04:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CjtX40kvtz2xbM; Sat, 28 Nov 2020 14:04:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CjtX23H1Tz2xTN for ; Sat, 28 Nov 2020 14:04:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4CjtX15MXZz1HZ for ; Sat, 28 Nov 2020 14:04:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1606572241; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=OTDHMhag7iqdG+JHQ3+jwVOGGWvHqCeFA8xsWu/kPzc=; b=F1Nk3lbVFDZZAlTKtpecIJkUMsFVtK2I+qRo0+y4dhEavnZyTzMRSsWp2vAry73X5wtbDC bhoyGYqQv0pT70Cg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1606572241; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=OTDHMhag7iqdG+JHQ3+jwVOGGWvHqCeFA8xsWu/kPzc=; b=A5xOFFZ0na7nI/mKoyayzPHzzQfhZvw49XscI4v5yoiOH8ADdThSJAgW+QJNu2F7au0sd5 kxNkmnx77Go/a/FPowVks2XS8jospMl9pVs50MBSeatM3d5HkvP0JT2/A+h1l/KZmMFlDX KzMYlYIPQVSP3c4IFHAL+TaDmSxVo59hJprfr6T7b2yI9IabxunXEBp5bysWv0W98KYvLS NgMqrUqHJ7TZmVbj932OeC6rkdKcf8e42TRRDCOQoRy5oHb7LZ7aQCxQz4N35kHGvqQJwg 25yqjpsBFsssibgkgxEKH/rajbkD6tt+NEV+a0JPRlwOVPzf4wlwSRKEfGmdvA== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue' Date: Sat, 28 Nov 2020 15:03:52 +0100 Message-Id: <20201128140353.3168-2-matthias.fischer@ipfire.org> In-Reply-To: <20201128140353.3168-1-matthias.fischer@ipfire.org> References: <20201128140353.3168-1-matthias.fischer@ipfire.org> X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list. I hope, I got the right place. Short background: - To avoid creating duplicate rule entries, I used code like 'if ! iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the existence of a rule"). This was done because I wanted to be absolutely sure that a specific rule would only be created if it doesn't already exist. To reduce output noise I added '>/dev/null 2>&1', where it seemed necessary. Results: If I delete just *one* rule manually, only the missing rule will be created, I found no duplicates. ON/OFF switches worked as expected. ToDo: Adding the default settings (all OFF) during install ('update.sh') to '/var/ipfire/optionsfw/settings'. Restart using Web-GUI with 'Save and Restart' button. By now, restart is only possible through only console. Signed-off-by: Matthias Fischer --- src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 65f1c979b..4e02bd3d9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -246,6 +246,77 @@ iptables_init() { iptables -A ${i} -j CAPTIVE_PORTAL done +# Force DNS REDIRECT on GREEN (udp, tcp, 53) +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT + fi + + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT + fi + +else + + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1 + fi + + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1 + fi +fi + +# Force DNS REDIRECT on BLUE (udp, tcp, 53) +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT + fi + + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT + fi + +else + + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1 + fi + + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1 + fi + +fi + +# Force NTP REDIRECT on GREEN (udp, 123) +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then + if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT + fi + +else + + if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1 + fi + +fi + +# Force DNS REDIRECT on BLUE (udp, 123) +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then + if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT + fi + +else + + if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then + iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1 + fi + +fi + # Accept everything connected for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j CONNTRACK