From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue'
Date: Sat, 28 Nov 2020 15:03:52 +0100
Message-ID: <20201128140353.3168-2-matthias.fischer@ipfire.org>
In-Reply-To: <20201128140353.3168-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6972892181799577843=="
List-Id: <development.lists.ipfire.org>

--===============6972892181799577843==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them
just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list.
I hope, I got the right place.

Short background:
- To avoid creating duplicate rule entries, I used code like 'if !
  iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the
  existence of a rule").
  This was done because I wanted to be absolutely  sure that a specific
  rule would only be created if it doesn't already exist. To reduce
  output noise I added '>/dev/null 2>&1', where it seemed necessary.

Results:
  If I delete just *one* rule manually, only the missing rule will be
  created, I found no duplicates. ON/OFF switches worked as expected.

ToDo:
  Adding the default settings (all OFF) during install ('update.sh') to
  '/var/ipfire/optionsfw/settings'.
  Restart using Web-GUI with 'Save and Restart' button. By now, restart
  is only possible through only console.

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 65f1c979b..4e02bd3d9 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -246,6 +246,77 @@ iptables_init() {
 		iptables -A ${i} -j CAPTIVE_PORTAL
 	done
=20
+# Force DNS REDIRECT on GREEN (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53=
 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j =
REDIRECT
+	fi
+
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53=
 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j =
REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -=
j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j =
REDIRECT >/dev/null 2>&1
+	fi
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -=
j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j =
REDIRECT >/dev/null 2>&1
+	fi
+fi
+
+# Force DNS REDIRECT on BLUE (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 =
-j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j R=
EDIRECT
+	fi
+
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 =
-j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j R=
EDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j=
 REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j R=
EDIRECT >/dev/null 2>&1
+	fi
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j=
 REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j R=
EDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
+# Force NTP REDIRECT on GREEN (udp, 123)
+if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 12=
3 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j=
 REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 =
-j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j=
 REDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
+# Force DNS REDIRECT on BLUE (udp, 123)
+if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123=
 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j =
REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -=
j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j =
REDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
 	# Accept everything connected
 	for i in INPUT FORWARD OUTPUT; do
 		iptables -A ${i} -j CONNTRACK
--=20
2.18.0


--===============6972892181799577843==--