From patchwork Fri Jun 4 12:17:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 4398 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FxMGK6DZvz3wc6 for ; Fri, 4 Jun 2021 12:17:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FxMGJ2d6kz16Z; Fri, 4 Jun 2021 12:17:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FxMGJ0Tm3z2xmm; Fri, 4 Jun 2021 12:17:28 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FxMGH2CWXz2xJj for ; Fri, 4 Jun 2021 12:17:27 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4FxMGG5WsdzBs for ; Fri, 4 Jun 2021 12:17:26 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1622809046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E4U/cF9vHQMHXufbRpRau/9wU5pOoyGhhaI69Oy1BAE=; b=FGCWrmBt9r6FRLZvFD6g0aHcFoIOLmbiMBNoTtYIiTqE3xWA8qy5I3AKIlMAWF38mju0CJ Rwqv1dxM+YECUNBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1622809046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E4U/cF9vHQMHXufbRpRau/9wU5pOoyGhhaI69Oy1BAE=; b=lEanSoB7tt/XmmvwRtyNWr1nvBvY0BBPEKwdLefbeLzn41yzwHS4eHo3fxVnv2r5kl53Yw F3x+vpGoKgOYa04YGeJ52tKShB+s/rl5MMP9IPke3m+sY4n+B5NsweKip07xM9DVnRQDML KU7nZuHmrR5+pt8lcWyZDuIGz2zp7mboZSR8Pt2PmgRo2bRXx+cgbNDenAX/CiA3jU9Aad T6Oxmb+/zE/B5yGXLaYkOO7ulmgoC8RAWtQxlm+rUC2odjAl66Z24TGdL4saaBac0bVJB4 mJ0X9o8KZD8E4A7C2v7aBTIqd5qFdHdou1L+BN8u8hl5w7JfrHKe62Md7RejOQ== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] (V4) Forcing DNS/NTP Date: Fri, 4 Jun 2021 14:17:21 +0200 Message-Id: <20210604121721.3840-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" There was not much feedback on the list, so I send this now. This is V4 - open for discussion, opinions or (perhaps ;-) ) changes: Originally triggered by: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 Discussion: https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 Could fix(?): https://bugzilla.ipfire.org/show_bug.cgi?id=11168 Changelog since V3: - Replaced 'green0'/'blue0' with '${GREEN_DEV}' / '${BLUE_DEV}' - these values are read from '/var/ipfire/ethernet/settings', thanks to "someone" for the hint (sorry, I didn't find the author)! ;-) - Replaced port numbers '123' / '53' with service names 'domain' / 'ntp' (dto.). - As mentioned on the list (05.03.2021, BB), 'well-behaving' requests are now handled through RETURN rules, others through REDIRECT. Background (cited from BB, 06.03.2021): "Concerning performance, we want to minimize the rule set to the amount really necessary. On the other hand, it may be quicker to do just a RETURN than a REDIRECT. The cases for the RETURN (DNS requests direct to IPFire) should be nearly 100%. DNS and NTP servers are published by DHCP or should be configured in the static case." I made it that way. Statistics during the last 62 days show that this worked as intended. IMHO. I've sent a screenshot to the list (the other day) so everyone could take a look. - Removed GUI links to DNS and NTP options in 'optionsfw.cgi'. - Moved creation of the iptable rules in '/etc/init.d/firewall' behind '# WIRELESS chains' Summary and functionality: These patches are controlled through "Firewall Options". They add new firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. They activate/deactivate appropriate RETURN and REDIRECT rules through a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). Default of all new rules is OFF (set in 'lfs/configroot'). If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP servers specified in IPFire. Flaw/ToDo: To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual init file, 'dnsntp'. As I see it, this is actually an unnecessary detour. In fact I wanted to merge these two files in *one* C file, but this was beyond my capabilities, perhaps "someone" else knows how to program this. Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: The corresponding interface options - including 'Masquerade ...' - are only visible if the respective interface actually exists. E.g.: if BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' or logging options for BLUE available. Added text colors for better readability. Separated logging options per interface. No reboot required: Rules can be switched ON/OFF without rebooting IPFire. Changes immedediately take effect after clicking 'Save'. Changes to '/etc/rc.d/init.d/firewall' and '/etc/rc.d/init.d/dnsntpctrl': Fixed a 'trafic' typo. To avoid collisions with existing CUSTOM rules, I added a new PREROUTING chain: 'DNS_NTP_REDIRECT'. This chain is flushed by 'dnsntpctrl' prior applying the choosen settings. Signed-off-by: Matthias Fischer --- config/rootfiles/common/misc-progs | 1 + html/cgi-bin/optionsfw.cgi | 90 ++++++++++++++++++++++++------ langs/de/cgi-bin/de.pl | 15 +++-- langs/en/cgi-bin/en.pl | 15 +++-- lfs/configroot | 6 +- src/initscripts/system/dnsntp | 43 ++++++++++++++ src/initscripts/system/firewall | 9 ++- src/misc-progs/Makefile | 2 +- src/misc-progs/dnsntpctrl.c | 19 +++++++ 9 files changed, 171 insertions(+), 29 deletions(-) create mode 100644 src/initscripts/system/dnsntp create mode 100644 src/misc-progs/dnsntpctrl.c diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index d6594b3f8..4bcb94812 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -5,6 +5,7 @@ usr/local/bin/captivectrl usr/local/bin/collectdctrl usr/local/bin/ddnsctrl usr/local/bin/dhcpctrl +usr/local/bin/dnsntpctrl usr/local/bin/extrahdctrl usr/local/bin/fireinfoctrl usr/local/bin/firewallctrl diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 321642e82..2059a03b3 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { $errormessage .= $Lang::tr{'new optionsfw later'}; &General::writehash($filename, \%settings); # Save good settings system("/usr/local/bin/firewallctrl"); + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); }else{ if ($settings{'POLICY'} ne ''){ $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); system("/usr/local/bin/firewallctrl"); + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); } &General::readhash($filename, \%settings); # Load good settings } @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele $selected{'MASQUERADE_BLUE'}{'off'} = ''; $selected{'MASQUERADE_BLUE'}{'on'} = ''; $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; &Header::openbox('100%', 'center',); print "
"; @@ -189,13 +203,44 @@ END END } - print < + +   + $Lang::tr{'fw green'} + + $Lang::tr{'dns force on green'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'ntp force on green'}$Lang::tr{'on'} / + $Lang::tr{'off'} +END + + if (&Header::blue_used()) { + print < + $Lang::tr{'fw blue'} +   + + $Lang::tr{'dns force on blue'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'drop proxy'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'drop samba'}$Lang::tr{'on'} / + $Lang::tr{'off'} + + +END + } + + print < -
+
- - +
$Lang::tr{'fw logging'}
+ - +END + } + + print < + +
-
$Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / @@ -206,21 +251,30 @@ END $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / +END + + if (&Header::blue_used()) { + print < + +
+ + + + + - -
$Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / +
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / $Lang::tr{'off'}
-
+
- - - -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / - $Lang::tr{'off'}
-
END print "
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / @@ -252,7 +306,7 @@ END
-
+
@@ -278,7 +332,7 @@ print <
"; - print"

"; + print"

"; print < diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 0bc579cd2..51e65b903 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -835,6 +835,8 @@ 'dns error 0' => 'Die IP Adresse vom primären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene sekundären DNS Server Adresse ist jedoch gültig.
', 'dns error 01' => 'Die eingegebene IP Adresse des primären wie auch des sekundären DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', 'dns error 1' => 'Die IP Adresse vom sekundären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene primäre DNS Server Adresse ist jedoch gültig.', +'dns force on blue' => 'Erzwinge lokale DNS-Server', +'dns force on green' => 'Erzwinge lokale DNS-Server', 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', @@ -1101,9 +1103,12 @@ 'from email server' => 'Von E-Mail-Server', 'from email user' => 'Von E-Mail-Benutzer', 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', -'fw blue' => 'Firewalloptionen für das Blaue Interface', +'fw blue' => 'Firewalloptionen für das BLAUE Interface', 'fw default drop' => 'Firewallrichtlinie', +'fw green' => 'Firewalloptionen für das GRÜNE Interface', 'fw logging' => 'Firewallprotokollierung', +'fw logging blue' => 'Firewallprotokollierung (BLAU)', +'fw logging red' => 'Firewallprotokollierung (ROT)', 'fw settings' => 'Firewalleinstellungen', 'fw settings color' => 'Farben in Regeltabelle anzeigen', 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', @@ -1643,9 +1648,9 @@ 'map to guest' => 'Map to Guest', 'march' => 'März', 'marked' => 'Markiert', -'masquerade blue' => 'NAT auf BLAU', -'masquerade green' => 'NAT auf GRÜN', -'masquerade orange' => 'NAT auf ORANGE', +'masquerade blue' => 'NAT auf BLAU', +'masquerade green' => 'NAT auf GRÜN', +'masquerade orange' => 'NAT auf ORANGE', 'masquerading' => 'Masquerading/NAT', 'masquerading disabled' => 'NAT ausgeschaltet', 'masquerading enabled' => 'NAT eingeschaltet', @@ -1813,6 +1818,8 @@ 'november' => 'November', 'ntp common settings' => 'Allgemeine Einstellungen', 'ntp configuration' => 'Zeitserverkonfiguration', +'ntp force on blue' => 'Erzwinge lokale NTP-Server', +'ntp force on green' => 'Erzwinge lokale NTP-Server', 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', 'ntp server' => 'NTP-Server', 'ntp sync' => 'Synchronisation', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 1c69b3798..390b2d026 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -858,6 +858,8 @@ 'dns error 0' => 'The IP address of the primary DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid.', 'dns error 01' => 'The entered IP address of the primary and secondary DNS server are not valid, please check your entries!', 'dns error 1' => 'The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid.', +'dns force on blue' => 'Force DNS to use local DNS servers', +'dns force on green' => 'Force DNS to use local DNS servers', 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', 'dns header' => 'Assign DNS server addresses only for DHCP on red0', @@ -1128,9 +1130,12 @@ 'from email server' => 'From Email server', 'from email user' => 'From e-mail user', 'from warn email bad' => 'From e-mail address is not valid', -'fw blue' => 'Firewall options for BLUE interface', +'fw blue' => 'Firewall options for BLUE Interface', 'fw default drop' => 'Firewall policy', +'fw green' => 'Firewall options for GREEN Interface', 'fw logging' => 'Firewall logging', +'fw logging blue' => 'Firewall logging (BLUE)', +'fw logging red' => 'Firewall logging (RED)', 'fw settings' => 'Firewall settings', 'fw settings color' => 'Show colors in ruletable', 'fw settings dropdown' => 'Show all networks on rulecreation site', @@ -1675,9 +1680,9 @@ 'map to guest' => 'Map to Guest', 'march' => 'March', 'marked' => 'Marked', -'masquerade blue' => 'Masquerade BLUE', -'masquerade green' => 'Masquerade GREEN', -'masquerade orange' => 'Masquerade ORANGE', +'masquerade blue' => 'Masquerade BLUE', +'masquerade green' => 'Masquerade GREEN', +'masquerade orange' => 'Masquerade ORANGE', 'masquerading' => 'Masquerading', 'masquerading disabled' => 'Masquerading disabled', 'masquerading enabled' => 'Masquerading enabled', @@ -1847,6 +1852,8 @@ 'november' => 'November', 'ntp common settings' => 'Common settings', 'ntp configuration' => 'NTP Configuration', +'ntp force on blue' => 'Force NTP to use local NTP servers', +'ntp force on green' => 'Force NTP to use local NTP servers', 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', 'ntp server' => 'NTP Server', 'ntp sync' => 'Synchronization', diff --git a/lfs/configroot b/lfs/configroot index c528bd6d9..6cc376ff0 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team # +# Copyright (C) 2007-2018 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -129,6 +129,10 @@ $(TARGET) : echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp new file mode 100644 index 000000000..54fdfc685 --- /dev/null +++ b/src/initscripts/system/dnsntp @@ -0,0 +1,43 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/dnsntp +# +# Description : dnsntp init script for DNS/NTP rules only +# +######################################################################## + +# flush chain +iptables -t nat -F DNS_NTP_REDIRECT + +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport domain -j RETURN + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport domain -j REDIRECT + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p tcp -m tcp --dport domain -j RETURN + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p tcp -m tcp --dport domain -j REDIRECT +fi + +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport domain -j RETURN + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport domain -j REDIRECT + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p tcp -m tcp --dport domain -j RETURN + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p tcp -m tcp --dport domain -j REDIRECT +fi + +# Force NTP REDIRECTs on GREEN (udp, 123) +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -d ${GREEN_ADDRESS} -p udp -m udp --dport ntp -j RETURN + iptables -t nat -A DNS_NTP_REDIRECT -i ${GREEN_DEV} -p udp -m udp --dport ntp -j REDIRECT +fi + +# Force DNS REDIRECTs on BLUE (udp, 123) +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -d ${BLUE_ADDRESS} -p udp -m udp --dport ntp -j RETURN + iptables -t nat -A DNS_NTP_REDIRECT -i ${BLUE_DEV} -p udp -m udp --dport ntp -j REDIRECT +fi + +# End $rc_base/init.d/dnsntp diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 1e558ee86..047946a86 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -218,7 +218,7 @@ iptables_init() { iptables -A INPUT -j LOCATIONBLOCK iptables -A FORWARD -j LOCATIONBLOCK - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything iptables -N IPSECINPUT iptables -N IPSECFORWARD iptables -N IPSECOUTPUT @@ -242,6 +242,10 @@ iptables_init() { iptables -N WIRELESSFORWARD iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD + # Redirecting DNS and NTP requests + iptables -t nat -N DNS_NTP_REDIRECT + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT + # OpenVPN iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT @@ -320,6 +324,9 @@ iptables_init() { # run captivectrl /usr/local/bin/captivectrl + # run dnsntpctrl + /usr/local/bin/dnsntpctrl + # POLICY CHAIN iptables -N POLICYIN iptables -A INPUT -j POLICYIN diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 7c3ef7529..229d122d6 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -30,7 +30,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \ wirelessctrl getipstat qosctrl \ redctrl syslogdctrl extrahdctrl sambactrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ - setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \ + setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes dnsntpctrl \ getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \ captivectrl diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c new file mode 100644 index 000000000..f2a3b89e3 --- /dev/null +++ b/src/misc-progs/dnsntpctrl.c @@ -0,0 +1,19 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include +#include "setuid.h" + +int main(void) +{ + if (!(initsetuid())) + exit(1); + + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); + + return 0; +}