From patchwork Fri Mar 5 19:40:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 3926 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4DsdPP1M46z3wwp for ; Fri, 5 Mar 2021 19:40:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4DsdPN0nhyz25m; Fri, 5 Mar 2021 19:40:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4DsdPM6l0pz2xYh; Fri, 5 Mar 2021 19:40:23 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4DsdPL4p68z2xLb for ; Fri, 5 Mar 2021 19:40:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4DsdPL0XlMz7W for ; Fri, 5 Mar 2021 19:40:22 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1614973222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xKJ9kFHeNB+HpSMk5Fvvd1RyhXiwvO/GGVErdmPYOTw=; b=lgtqk0Lg9JgRQgIaHnq5L4qr5RFLZexlonJxbBWiFuHOG+9KHmX9ypWIOeZOJyl0xQa1YF 3bIhjzuH7xxr16BQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1614973222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xKJ9kFHeNB+HpSMk5Fvvd1RyhXiwvO/GGVErdmPYOTw=; b=nkOQMktRrndteswj/ygccSEGn4NgZ4A9Skw2C+hoR+eKoRrWoixIFdh2WpVa/ygITDXGLm pzuIBP1hpMUC0JlvwDYh64031Zt+t7JdNJJDoHk2T8cC55L6kxwnhGOGP/meR3pPBhvk1e 3Lvy3u16e+xJeIMJNGuAfDl5Sq9m0rjb6svUCQCEIcWztIMh/n/3mpNQ8qYfUnO47FtxfC oNQtJI1HTKGuptREZvL5cp9Hwj/vTGLsIeCYNGmNt/WmoSv6YkD3AP8Jz7ppV7PlOeBt1R P/7mj3KFHqWQJ9hAWCMGKHLnDnyLyE91CFxVwfPsLKNfs0wU0oWMyhYchwNUFw== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] (V3) Forcing DNS/NTP Date: Fri, 5 Mar 2021 20:40:17 +0100 Message-Id: <20210305194017.7114-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Originally triggered by: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 Current discussion: https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888 Summary and functionality: These patches are controlled through "Firewall Options". They add new firewall-[DNS/NTP]_FORCED_ON_[INTERFACE]-options to '/var/ipfire/optionsfw/settings'. They activate/deactivate appropriate REDIRECT rules through a new ctrl file ('/usr/local/bin/dnsntpctrl') and a new init file ('/etc/rc.d/init.d/dnsntp'). Default of all new rules is OFF (set in 'lfs/configroot'). If set to ON, they REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP servers specified in IPFire. GUI links to DNS and NTP options were added to make this more transparent. Flaw/ToDo: To make things work as I wanted I had to add a 'dnsntpctrl' file which calls the actual init file, 'dnsntp'. This is actually an unnecessary detour. In fact I wanted to merge these two files in *one* C file, but this was beyond my capabilities, perhaps "someone" else knows how to program this. Changed visibility (GUI, 'optionsfw.cgi') and some cosmetics: The corresponding interface options - including 'Masquerade ...' - are only visible if the respective interface actually exists. If BLUE interface doesn't exist, there are no ON/OFF switches for 'DNS/NTP on BLUE' or logging options for BLUE available (e.g.). Added text colors for better readability and links to DNS and NTP GUI. Separated logging options per interface. No reboot required: Rules can be switched ON/OFF without rebooting IPFire. Changes immedediatly take effect after clicking 'Save'. Changes to '/etc/rc.d/init.d/firewall': To avoid collisions with possibly existing CUSTOM rules, I added a new PREROUTING chain: DNS_NTP_REDIRECT. This chain is flushed by the init file before before the desired settings are applied. Corrected a 'trafic' typo. Signed-off-by: Matthias Fischer --- config/rootfiles/common/aarch64/initscripts | 1 + config/rootfiles/common/armv5tel/initscripts | 1 + config/rootfiles/common/i586/initscripts | 1 + config/rootfiles/common/misc-progs | 1 + config/rootfiles/common/x86_64/initscripts | 1 + html/cgi-bin/optionsfw.cgi | 92 ++++++++++++++++---- langs/de/cgi-bin/de.pl | 15 +++- langs/en/cgi-bin/en.pl | 15 +++- lfs/configroot | 4 + src/initscripts/system/dnsntp | 36 ++++++++ src/initscripts/system/firewall | 9 +- src/misc-progs/Makefile | 2 +- src/misc-progs/dnsntpctrl.c | 19 ++++ 13 files changed, 168 insertions(+), 29 deletions(-) create mode 100644 src/initscripts/system/dnsntp create mode 100644 src/misc-progs/dnsntpctrl.c diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 800005966..f38a3a294 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay +etc/rc.d/init.d/dnsntp etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 800005966..f38a3a294 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay +etc/rc.d/init.d/dnsntp etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 18c5a897a..a3a2b47f7 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay +etc/rc.d/init.d/dnsntp etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index d6594b3f8..4bcb94812 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -5,6 +5,7 @@ usr/local/bin/captivectrl usr/local/bin/collectdctrl usr/local/bin/ddnsctrl usr/local/bin/dhcpctrl +usr/local/bin/dnsntpctrl usr/local/bin/extrahdctrl usr/local/bin/fireinfoctrl usr/local/bin/firewallctrl diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index 18c5a897a..a3a2b47f7 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -20,6 +20,7 @@ etc/rc.d/init.d/conntrackd etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay +etc/rc.d/init.d/dnsntp etc/rc.d/init.d/fcron etc/rc.d/init.d/fireinfo etc/rc.d/init.d/firewall diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 321642e82..3fc707e8b 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2014-2020 IPFire Team # +# Copyright (C) 2014-2021 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -50,6 +50,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { $errormessage .= $Lang::tr{'new optionsfw later'}; &General::writehash($filename, \%settings); # Save good settings system("/usr/local/bin/firewallctrl"); + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); }else{ if ($settings{'POLICY'} ne ''){ $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; @@ -65,6 +66,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); system("/usr/local/bin/firewallctrl"); + system("/usr/local/bin/dnsntpctrl >/dev/null 2>&1"); } &General::readhash($filename, \%settings); # Load good settings } @@ -140,6 +142,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele $selected{'MASQUERADE_BLUE'}{'off'} = ''; $selected{'MASQUERADE_BLUE'}{'on'} = ''; $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; +$checked{'DNS_FORCE_ON_GREEN'}{'off'} = ''; +$checked{'DNS_FORCE_ON_GREEN'}{'on'} = ''; +$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'"; +$checked{'DNS_FORCE_ON_BLUE'}{'off'} = ''; +$checked{'DNS_FORCE_ON_BLUE'}{'on'} = ''; +$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'"; +$checked{'NTP_FORCE_ON_GREEN'}{'off'} = ''; +$checked{'NTP_FORCE_ON_GREEN'}{'on'} = ''; +$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'"; +$checked{'NTP_FORCE_ON_BLUE'}{'off'} = ''; +$checked{'NTP_FORCE_ON_BLUE'}{'on'} = ''; +$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'"; &Header::openbox('100%', 'center',); print "
"; @@ -189,13 +203,44 @@ END END } - print < + +   + $Lang::tr{'fw green'} + + $Lang::tr{'dns force on green'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'ntp force on green'}$Lang::tr{'on'} / + $Lang::tr{'off'} +END + + if (&Header::blue_used()) { + print < + $Lang::tr{'fw blue'} +   + + $Lang::tr{'dns force on blue'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'ntp force on blue'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'drop proxy'}$Lang::tr{'on'} / + $Lang::tr{'off'} + $Lang::tr{'drop samba'}$Lang::tr{'on'} / + $Lang::tr{'off'} + + +END + } + + print < -
+
- - +
$Lang::tr{'fw logging'}
+ - +END + } + + print < + +
-
$Lang::tr{'fw logging red'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / @@ -206,21 +251,30 @@ END $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / +END + + if (&Header::blue_used()) { + print < + +
+ + + + + - -
$Lang::tr{'fw logging blue'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / +
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / $Lang::tr{'off'}
-
+
- - - -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / - $Lang::tr{'off'}
-
END print "
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} / @@ -252,7 +306,7 @@ END
-
+
@@ -278,7 +332,7 @@ print <
"; - print"

"; + print"

"; print < diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6a8133807..d6bb234fa 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -836,6 +836,8 @@ 'dns error 0' => 'Die IP Adresse vom primären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene sekundären DNS Server Adresse ist jedoch gültig.
', 'dns error 01' => 'Die eingegebene IP Adresse des primären wie auch des sekundären DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', 'dns error 1' => 'Die IP Adresse vom sekundären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene primäre DNS Server Adresse ist jedoch gültig.', +'dns force on blue' => 'Erzwinge lokale DNS-Server auf BLAU', +'dns force on green' => 'Erzwinge lokale DNS-Server auf GRÜN', 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', @@ -1102,9 +1104,12 @@ 'from email server' => 'Von E-Mail-Server', 'from email user' => 'Von E-Mail-Benutzer', 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', -'fw blue' => 'Firewalloptionen für das Blaue Interface', +'fw blue' => 'Firewalloptionen für das BLAUE Interface', 'fw default drop' => 'Firewallrichtlinie', +'fw green' => 'Firewalloptionen für das GRÜNE Interface', 'fw logging' => 'Firewallprotokollierung', +'fw logging blue' => 'Firewallprotokollierung (BLAU)', +'fw logging red' => 'Firewallprotokollierung (ROT)', 'fw settings' => 'Firewalleinstellungen', 'fw settings color' => 'Farben in Regeltabelle anzeigen', 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', @@ -1644,9 +1649,9 @@ 'map to guest' => 'Map to Guest', 'march' => 'März', 'marked' => 'Markiert', -'masquerade blue' => 'NAT auf BLAU', -'masquerade green' => 'NAT auf GRÜN', -'masquerade orange' => 'NAT auf ORANGE', +'masquerade blue' => 'NAT auf BLAU', +'masquerade green' => 'NAT auf GRÜN', +'masquerade orange' => 'NAT auf ORANGE', 'masquerading' => 'Masquerading/NAT', 'masquerading disabled' => 'NAT ausgeschaltet', 'masquerading enabled' => 'NAT eingeschaltet', @@ -1814,6 +1819,8 @@ 'november' => 'November', 'ntp common settings' => 'Allgemeine Einstellungen', 'ntp configuration' => 'Zeitserverkonfiguration', +'ntp force on blue' => 'Erzwinge lokale NTP-Server auf BLAU', +'ntp force on green' => 'Erzwinge lokale NTP-Server auf GRÜN', 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.', 'ntp server' => 'NTP-Server', 'ntp sync' => 'Synchronisation', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8f7e0c2cf..474612025 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -859,6 +859,8 @@ 'dns error 0' => 'The IP address of the primary DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid.', 'dns error 01' => 'The entered IP address of the primary and secondary DNS server are not valid, please check your entries!', 'dns error 1' => 'The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid.', +'dns force on blue' => 'Force DNS to use local DNS servers on BLUE', +'dns force on green' => 'Force DNS to use local DNS servers on GREEN', 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', 'dns header' => 'Assign DNS server addresses only for DHCP on red0', @@ -1128,9 +1130,12 @@ 'from email server' => 'From Email server', 'from email user' => 'From e-mail user', 'from warn email bad' => 'From e-mail address is not valid', -'fw blue' => 'Firewall options for BLUE interface', +'fw blue' => 'Firewall options for BLUE Interface', 'fw default drop' => 'Firewall policy', +'fw green' => 'Firewall options for GREEN Interface', 'fw logging' => 'Firewall logging', +'fw logging blue' => 'Firewall logging (BLUE)', +'fw logging red' => 'Firewall logging (RED)', 'fw settings' => 'Firewall settings', 'fw settings color' => 'Show colors in ruletable', 'fw settings dropdown' => 'Show all networks on rulecreation site', @@ -1672,9 +1677,9 @@ 'map to guest' => 'Map to Guest', 'march' => 'March', 'marked' => 'Marked', -'masquerade blue' => 'Masquerade BLUE', -'masquerade green' => 'Masquerade GREEN', -'masquerade orange' => 'Masquerade ORANGE', +'masquerade blue' => 'Masquerade BLUE', +'masquerade green' => 'Masquerade GREEN', +'masquerade orange' => 'Masquerade ORANGE', 'masquerading' => 'Masquerading', 'masquerading disabled' => 'Masquerading disabled', 'masquerading enabled' => 'Masquerading enabled', @@ -1844,6 +1849,8 @@ 'november' => 'November', 'ntp common settings' => 'Common settings', 'ntp configuration' => 'NTP Configuration', +'ntp force on blue' => 'Force NTP to use local NTP servers on BLUE', +'ntp force on green' => 'Force NTP to use local NTP servers on GREEN', 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.', 'ntp server' => 'NTP Server', 'ntp sync' => 'Synchronization', diff --git a/lfs/configroot b/lfs/configroot index a3e474d70..622793b35 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -129,6 +129,10 @@ $(TARGET) : echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DNS_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DNS_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "NTP_FORCE_ON_GREEN=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "NTP_FORCE_ON_BLUE=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings diff --git a/src/initscripts/system/dnsntp b/src/initscripts/system/dnsntp new file mode 100644 index 000000000..2eafa9d20 --- /dev/null +++ b/src/initscripts/system/dnsntp @@ -0,0 +1,36 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/dnsntp +# +# Description : dnsntp init script for DNS/NTP rules only +# +######################################################################## + +# flush chain +iptables -t nat -F DNS_NTP_REDIRECT + +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +# Force DNS REDIRECTs on GREEN (udp, tcp, 53) +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 53 -j REDIRECT + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p tcp -m tcp --dport 53 -j REDIRECT +fi + +# Force DNS REDIRECTs on BLUE (udp, tcp, 53) +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 53 -j REDIRECT + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT +fi + +# Force NTP REDIRECTs on GREEN (udp, 123) +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i green0 -p udp -m udp --dport 123 -j REDIRECT +fi + +# Force DNS REDIRECTs on BLUE (udp, 123) +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then + iptables -t nat -A DNS_NTP_REDIRECT -i blue0 -p udp -m udp --dport 123 -j REDIRECT +fi + +# End $rc_base/init.d/dnsntp diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 65f1c979b..43ae74113 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -169,6 +169,10 @@ iptables_init() { # Fix for braindead ISPs iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + # DNS / NTP REDIRECT + iptables -t nat -N DNS_NTP_REDIRECT + iptables -t nat -A PREROUTING -j DNS_NTP_REDIRECT + # CUSTOM chains, can be used by the users themselves iptables -N CUSTOMINPUT iptables -A INPUT -j CUSTOMINPUT @@ -281,7 +285,7 @@ iptables_init() { iptables -A INPUT -j LOCATIONBLOCK iptables -A FORWARD -j LOCATIONBLOCK - # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything + # traffic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything iptables -N IPSECINPUT iptables -N IPSECFORWARD iptables -N IPSECOUTPUT @@ -389,6 +393,9 @@ iptables_init() { # run captivectrl /usr/local/bin/captivectrl + # run dnsntpctrl + /usr/local/bin/dnsntpctrl + # POLICY CHAIN iptables -N POLICYIN iptables -A INPUT -j POLICYIN diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 7c3ef7529..6f2733ef0 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -26,7 +26,7 @@ PROGS = iowrap SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl suricatactrl \ rebuildhosts backupctrl collectdctrl \ - logwatch wioscan wiohelper openvpnctrl firewallctrl \ + logwatch wioscan wiohelper openvpnctrl firewallctrl dnsntpctrl \ wirelessctrl getipstat qosctrl \ redctrl syslogdctrl extrahdctrl sambactrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ diff --git a/src/misc-progs/dnsntpctrl.c b/src/misc-progs/dnsntpctrl.c new file mode 100644 index 000000000..f2a3b89e3 --- /dev/null +++ b/src/misc-progs/dnsntpctrl.c @@ -0,0 +1,19 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include +#include "setuid.h" + +int main(void) +{ + if (!(initsetuid())) + exit(1); + + safe_system("/etc/rc.d/init.d/dnsntp >/dev/null 2>&1"); + + return 0; +}