Hi,
at a first glance this patch seems to be okay.
We should include in the announcement of the core update containing this patch a remark, that a possible work-around in firewall.local according the community article must be removed. Otherwise the system contains the REDIRECT rules twice. This would result in firewall, where these REDIRECTS cannot be switched off as supposed by the .cgi
Regards, Bernhard
Gesendet: Samstag, 28. November 2020 um 15:03 Uhr Von: "Matthias Fischer" matthias.fischer@ipfire.org An: development@lists.ipfire.org Betreff: [PATCH 2/3] /etc/init.d/firewall: Modified for 'forcing dns on green/blue'
I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them just behind the CAPITVE_PORTAL_CHAIN, as Michael mentioned on the list. I hope, I got the right place.
Short background:
- To avoid creating duplicate rule entries, I used code like 'if ! iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the existence of a rule"). This was done because I wanted to be absolutely sure that a specific rule would only be created if it doesn't already exist. To reduce output noise I added '>/dev/null 2>&1', where it seemed necessary.
Results: If I delete just *one* rule manually, only the missing rule will be created, I found no duplicates. ON/OFF switches worked as expected.
ToDo: Adding the default settings (all OFF) during install ('update.sh') to '/var/ipfire/optionsfw/settings'. Restart using Web-GUI with 'Save and Restart' button. By now, restart is only possible through only console.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
src/initscripts/system/firewall | 71 +++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 65f1c979b..4e02bd3d9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -246,6 +246,77 @@ iptables_init() { iptables -A ${i} -j CAPTIVE_PORTAL done
+# Force DNS REDIRECT on GREEN (udp, tcp, 53) +if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
- if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT- fi
- if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT- fi
+else
- if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1- fi
- if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1- fi
+fi
+# Force DNS REDIRECT on BLUE (udp, tcp, 53) +if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
- if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT- fi
- if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT- fi
+else
- if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1- fi
- if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1- fi
+fi
+# Force NTP REDIRECT on GREEN (udp, 123) +if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
- if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT- fi
+else
- if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1- fi
+fi
+# Force DNS REDIRECT on BLUE (udp, 123) +if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
- if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT- fi
+else
- if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1- fi
+fi
- # Accept everything connected for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j CONNTRACK
-- 2.18.0