From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bernhard Bitsch <Bernhard.Bitsch@gmx.de>
To: development@lists.ipfire.org
Subject: Aw: [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on
 green/blue'
Date: Sun, 29 Nov 2020 21:22:49 +0100
Message-ID:
 <trinity-988c882c-9c77-4d5c-ba91-b41f270225b6-1606681369316@3c-app-gmx-bs77>
In-Reply-To: <20201128140353.3168-2-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3412233505373596743=="
List-Id: <development.lists.ipfire.org>

--===============3412233505373596743==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

at a first glance this patch seems to be okay.

We should include in the announcement of the core update containing this patc=
h a remark, that a possible work-around in firewall.local according the commu=
nity article must be removed. Otherwise the system contains the REDIRECT rule=
s twice. This would result in firewall, where these REDIRECTS cannot be switc=
hed off as supposed by the .cgi

Regards,
Bernhard

> Gesendet: Samstag, 28. November 2020 um 15:03 Uhr
> Von: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
> An: development(a)lists.ipfire.org
> Betreff: [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on gre=
en/blue'
>
> I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them
> just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list.
> I hope, I got the right place.
>
> Short background:
> - To avoid creating duplicate rule entries, I used code like 'if !
>   iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the
>   existence of a rule").
>   This was done because I wanted to be absolutely  sure that a specific
>   rule would only be created if it doesn't already exist. To reduce
>   output noise I added '>/dev/null 2>&1', where it seemed necessary.
>
> Results:
>   If I delete just *one* rule manually, only the missing rule will be
>   created, I found no duplicates. ON/OFF switches worked as expected.
>
> ToDo:
>   Adding the default settings (all OFF) during install ('update.sh') to
>   '/var/ipfire/optionsfw/settings'.
>   Restart using Web-GUI with 'Save and Restart' button. By now, restart
>   is only possible through only console.
>
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++
>  1 file changed, 71 insertions(+)
>
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew=
all
> index 65f1c979b..4e02bd3d9 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -246,6 +246,77 @@ iptables_init() {
>  		iptables -A ${i} -j CAPTIVE_PORTAL
>  	done
>
> +# Force DNS REDIRECT on GREEN (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_GREEN" =3D=3D "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport =
53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -=
j REDIRECT
> +	fi
> +
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport =
53 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -=
j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53=
 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -=
j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53=
 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -=
j REDIRECT >/dev/null 2>&1
> +	fi
> +fi
> +
> +# Force DNS REDIRECT on BLUE (udp, tcp, 53)
> +if [ "$DNS_FORCE_ON_BLUE" =3D=3D "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 5=
3 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j=
 REDIRECT
> +	fi
> +
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 5=
3 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j=
 REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 =
-j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j=
 REDIRECT >/dev/null 2>&1
> +	fi
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 =
-j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j=
 REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
> +# Force NTP REDIRECT on GREEN (udp, 123)
> +if [ "$NTP_FORCE_ON_GREEN" =3D=3D "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport =
123 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 =
-j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 12=
3 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 =
-j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
> +# Force DNS REDIRECT on BLUE (udp, 123)
> +if [ "$NTP_FORCE_ON_BLUE" =3D=3D "on" ]; then
> +	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 1=
23 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -=
j REDIRECT
> +	fi
> +
> +else
> +
> +	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123=
 -j REDIRECT >/dev/null 2>&1; then
> +		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -=
j REDIRECT >/dev/null 2>&1
> +	fi
> +
> +fi
> +
>  	# Accept everything connected
>  	for i in INPUT FORWARD OUTPUT; do
>  		iptables -A ${i} -j CONNTRACK
> --
> 2.18.0
>
>

--===============3412233505373596743==--