Aw: [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue'

[Bernhard Bitsch <Bernhard.Bitsch@gmx.de>]

[-- Attachment #1: Type: text/plain, Size: 5441 bytes --]

Hi,

at a first glance this patch seems to be okay.

We should include in the announcement of the core update containing this patch a remark, that a possible work-around in firewall.local according the community article must be removed. Otherwise the system contains the REDIRECT rules twice. This would result in firewall, where these REDIRECTS cannot be switched off as supposed by the .cgi

Regards,
Bernhard

> Gesendet: Samstag, 28. November 2020 um 15:03 Uhr
> Von: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
> An: development(a)lists.ipfire.org
> Betreff: [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue'
>
> I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them
> just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list.
> I hope, I got the right place.
>
> Short background:
> - To avoid creating duplicate rule entries, I used code like 'if !
>   iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the
>   existence of a rule").
>   This was done because I wanted to be absolutely  sure that a specific
>   rule would only be created if it doesn't already exist. To reduce
>   output noise I added '>/dev/null 2>&1', where it seemed necessary.
>
> Results:
>   If I delete just *one* rule manually, only the missing rule will be
>   created, I found no duplicates. ON/OFF switches worked as expected.
>
> ToDo:
>   Adding the default settings (all OFF) during install ('update.sh') to
>   '/var/ipfire/optionsfw/settings'.
>   Restart using Web-GUI with 'Save and Restart' button. By now, restart
>   is only possible through only console.
>
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++
>  1 file changed, 71 insertions(+)
>
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 65f1c979b..4e02bd3d9 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -246,6 +246,77 @@ iptables_init() {
>  		iptables -A ${i} -j CAPTIVE_PORTAL
>  	done
>
> +# Force DNS REDIRECT on GREEN (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
> +	fi
> +
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
> +	fi
> +fi
> +
> +# Force DNS REDIRECT on BLUE (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT
> +	fi
> +
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
> +# Force NTP REDIRECT on GREEN (udp, 123)
> +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
> +# Force DNS REDIRECT on BLUE (udp, 123)
> +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
>  	# Accept everything connected
>  	for i in INPUT FORWARD OUTPUT; do
>  		iptables -A ${i} -j CONNTRACK
> --
> 2.18.0
>
>