--- /dev/null
+#!/bin/sh
+# Used for private firewall rules
+
+# See how we were called.
+case "$1" in
+ start)
+ ## add your 'start' rules here
+ ;;
+ stop)
+ ## add your 'stop' rules here
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+# Used for private firewall rules
+
+# See how we were called.
+case "$1" in
+ start)
+ ## add your 'start' rules here
+ ;;
+ stop)
+ ## add your 'stop' rules here
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+# Used for private firewall rules
+
+# See how we were called.
+case "$1" in
+ start)
+ ## add your 'start' rules here
+ ;;
+ stop)
+ ## add your 'stop' rules here
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+#
+# IPFire Custom Firewall (icf)
+#
+# Github: https://github.com/Mnkey
+#
+# Loops over the local "rules.d/" subfolder files
+# Forwarding the (start/stop) command to every file
+# which extension is ".on". To enabled multiple
+# custom firewall rulesets!
+#
+# the configuration of the ipfire custom rules (ipfcr)
+# in the local "rules.d/*" sunfolder, is inside the
+# files themself!
+#
+# Use this at your OWN RISK. Not fully supported!
+#
+# License: GPL2
+#
+# icf v0.1 (c) 30 May 2022 code.monkeycat.com
+#
+# Nuff text...
+
+pwd=$PWD
+base=${PWD%/*/*}
+
+case "$1" in
+ start)
+ find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+
+ ;;
+ stop)
+ find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+
+ ;;
+ reload)
+ $0 stop
+ $0 start
+
+ ;;
+ flush)
+ iptables -t nat -F CUSTOMPREROUTING
+ iptables -t nat -F CUSTOMPOSTROUTING
+ iptables -F CUSTOMFORWARD
+
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload|flush}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+# Used for private firewall rules
+
+# See how we were called.
+case "$1" in
+ start)
+ ## add your 'start' rules here
+ ;;
+ stop)
+ ## add your 'stop' rules here
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+# Used for private firewall rules
+
+# See how we were called.
+case "$1" in
+ start)
+ ## add your 'start' rules here
+ ;;
+ stop)
+ ## add your 'stop' rules here
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+#
+# IPFire Custom Rules (icr)
+#
+# Github: https://github.com/MonkeyCat/IPFireCustomRules
+#
+# Loops over the local "rules.d/" subfolder files
+# Forwarding the (start/stop) command to every file
+# which extension is ".on". To enabled multiple
+# custom firewall rulesets!
+#
+# the configuration of the ipfire custom rules (ipfcr)
+# in the local "rules.d/*" sunfolder, is inside the
+# files themself!
+#
+# Use this at your OWN RISK. Not fully supported!
+#
+# License: GPL2
+#
+# icr v0.1 (c) 30 May 2022 code.monkeycat.com
+#
+# Nuff text...
+
+pwd=$PWD
+base=${PWD%/*/*}
+
+case "$1" in
+ start)
+ find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+
+ ;;
+ stop)
+ find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+
+ ;;
+ reload)
+ $0 stop
+ $0 start
+
+ ;;
+ flush)
+ iptables -t nat -F CUSTOMPREROUTING
+ iptables -t nat -F CUSTOMPOSTROUTING
+ iptables -F CUSTOMFORWARD
+
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload|flush}"
+ ;;
+esac
--- /dev/null
+firewall.local.167
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+#
+# Redirect All DNS Request Traffic To DNS Server on (Internal) Network
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK. It is not fully supported!
+# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v0.9 30/May/2022
+
+
+# uncomment if you setup this dns ruleset
+#setup=true
+
+
+
+if $setup
+then
+ echo "Please setup your dns server ip, accepted range and if you want logging!"
+ echo "inside dns_catchall_redirect.* file"
+ exit
+fi
+
+# Our dns server target
+SERVER="10.0.80.2"
+
+# double negation :-) see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+
+LOGGING=true
+
+
+
+# logging prefix
+PREFIX="DNS"
+PORT=53
+
+case "$1" in
+ start)
+ ## add your 'start' rules here
+
+ # dns logging
+ if $LOGGING
+ then
+ echo "$PREFIX Logging Enabled ($SERVER)"
+ # udp
+ iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+ # tcp
+ iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+ fi
+
+ # dns
+ echo "$PREFIX Catch All Enabled ($SERVER)"
+ # udp
+ iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+ # tcp
+ iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+
+ ;;
+ stop)
+ ## add your 'stop' rules here
+
+
+ # dns logging
+ if $LOGGING
+ then
+ echo $PREFIX Logging Disabled ($SERVER)"
+ # udp
+ iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+ # tcp
+ iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+ fi
+
+ # dns
+ echo $PREFIX Catch All Disabled ($SERVER)"
+ # udp
+ iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+ # tcp
+ iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+
+ ;;
+ flush)
+ iptables -t nat -F CUSTOMPREROUTING
+ iptables -t nat -F CUSTOMPOSTROUTING
+ iptables -F CUSTOMFORWARD
+
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload|flush}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+#
+# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK. It is not fully supported!
+# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v1.0a 30/May/2022
+
+
+# uncomment if you setup this ntp ruleset
+#setup=true
+
+
+
+if $setup
+then
+ echo "Please setup your time server ip, accepted range and if you want logging!"
+ echo "inside "ntp_catchall_redirect.* file"
+ exit
+fi
+
+# Our timer server target
+SERVER="10.0.0.5"
+
+# double negation :-) see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+
+LOGGING=false
+
+
+
+# logging prefix
+PREFIX="NTP"
+PORT=123
+
+case "$1" in
+ start)
+ # ntp logging
+ if $LOGGING
+ then
+ echo "$PREFIX Logging Enabled ($SERVER)"
+ iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+ fi
+
+ # ntp
+ echo "$PREFIX Catch All Enabled ($SERVER)"
+ iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+
+ ;;
+ stop)
+ # ntp logging
+ if $LOGGING
+ then
+ echo "$PREFIX Logging Disabled ($SERVER)"
+ iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+ fi
+
+ # ntp
+ echo "$PREFIX Catch All Disabled ($SERVER)"
+ iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+
+ ;;
+ flush)
+ iptables -t nat -F CUSTOMPREROUTING
+ iptables -t nat -F CUSTOMPOSTROUTING
+ iptables -F CUSTOMFORWARD
+
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload|flush}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+#
+# IPFire Custom Rules (icr)
+#
+# Github: https://github.com/MonkeyCat/IPFireCustomRules
+#
+# Loops over the local "rules.d/" subfolder files
+# Forwarding the (start/stop) command to every file
+# which extension is ".on". To enabled multiple
+# custom firewall rulesets!
+#
+# the configuration of the ipfire custom rules (ipfcr)
+# in the local "rules.d/*" sunfolder, is inside the
+# files themself!
+#
+# Use this at your OWN RISK. Not fully supported!
+#
+# License: GPL2
+#
+# icr v0.1 (c) 30 May 2022 code.monkeycat.com
+#
+# Nuff text...
+
+pwd=$PWD
+base=${PWD%/*/*}
+
+case "$1" in
+ start)
+ find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+
+ ;;
+ stop)
+ find $base/rules.d/ -maxdepth 1 -type f \( ! -name . \) -exec bash -c "{} $1" \;
+
+ ;;
+ reload)
+ $0 stop
+ $0 start
+
+ ;;
+ flush)
+ iptables -t nat -F CUSTOMPREROUTING
+ iptables -t nat -F CUSTOMPOSTROUTING
+ iptables -F CUSTOMFORWARD
+
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload|flush}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+
+# backup... tjust in case...
+echo "Backup of firewall.local -> $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local"
+mkdir -p $PWD/data/backups
+cp /etc/sysconfig/firewall.local $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local
+
+# Another backup!
+echo "Backup of firewall.local -> firewall.local.old"
+cp -PL /etc/sysconfig/firewall.local /etc/sysconfig/firewall.local.old
+
+# iterator
+
+if [[ ! -L "/etc/sysconfig/firewall.local" ]] ; then
+ echo "Linking IPFire Custom Firewall Rules Looper"
+ echo "Installing $PWD/data/executable/firewall.local -> /etc/sysconfig/firewall.local"
+ rm /etc/sysconfig/firewall.local
+ cp $PWD/data/originals/firewall.looper $PWD/data/run/firewall.local
+ ln -s $PWD/data/run/firewall.local /etc/sysconfig/firewall.local
+fi
+
+# rules!
+
+if [[ ! -L "/etc/sysconfig/rules.d" ]] ; then
+ echo "Linking IPFire Custom Firewall Rules"
+ echo "Installing $PWD/rules.d/ -> /etc/sysconfig/rules.d"
+ ln -s $PWD/rules.d /etc/sysconfig/rules.d
+fi
--- /dev/null
+#!/bin/sh
+/etc/init.d/firewall reload
--- /dev/null
+#!/bin/sh
+#
+# Redirect All DNS Request Traffic To DNS Server on (Internal) Network
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK. It is not fully supported!
+# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v0.9 30/May/2022
+
+
+# uncomment if you setup this dns ruleset
+#setup=true
+
+
+
+if $setup
+then
+ echo "Please setup your dns server ip, accepted range and if you want logging!"
+ echo "inside dns_catchall_redirect.* file"
+ exit
+fi
+
+# Our dns server target
+SERVER="10.0.80.2"
+
+# double negation :-) see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+
+LOGGING=true
+
+
+
+# logging prefix
+PREFIX="DNS"
+PORT=53
+
+case "$1" in
+ start)
+ ## add your 'start' rules here
+
+ # dns logging
+ if $LOGGING
+ then
+ echo "$PREFIX Logging Enabled ($SERVER)"
+ # udp
+ iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+ # tcp
+ iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+ fi
+
+ # dns
+ echo "$PREFIX Catch All Enabled ($SERVER)"
+ # udp
+ iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+ # tcp
+ iptables -A CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+
+ ;;
+ stop)
+ ## add your 'stop' rules here
+
+
+ # dns logging
+ if $LOGGING
+ then
+ echo $PREFIX Logging Disabled ($SERVER)"
+ # udp
+ iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+ # tcp
+ iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j LOG --log-prefix "$PREFIX_ACCEPT_PRIVATE "
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_DROP_EXTERNAL "
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j LOG --log-prefix "$PREFIX_PREROUTE "
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j LOG --log-prefix "$PREFIX_POSTROUTE "
+ fi
+
+ # dns
+ echo $PREFIX Catch All Disabled ($SERVER)"
+ # udp
+ iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+ # tcp
+ iptables -D CUSTOMFORWARD -p tcp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p tcp --dport $PORT -j DROP
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p tcp --dport $PORT -j ACCEPT
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p tcp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p tcp --dport $PORT -d $SERVER -j MASQUERADE
+
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+
+ ;;
+ flush)
+ iptables -t nat -F CUSTOMPREROUTING
+ iptables -t nat -F CUSTOMPOSTROUTING
+ iptables -F CUSTOMFORWARD
+
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload|flush}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+#
+# Redirect All Time Servers Traffic Request To Time Server on (Internal) Network
+#
+# (Not IPFire itself, for that see: https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512)
+#
+# Use this at your OWN RISK. It is not fully supported!
+# https://community.ipfire.org/t/redirect-all-time-servers-request-to-time-server-on-internal-network-not-ipfire-itself/7975/2
+#
+# (c) 2022 MonkeyCat.com
+#
+# v1.0a 30/May/2022
+
+
+# uncomment if you setup this ntp ruleset
+#setup=true
+
+
+
+if $setup
+then
+ echo "Please setup your time server ip, accepted range and if you want logging!"
+ echo "inside "ntp_catchall_redirect.* file"
+ exit
+fi
+
+# Our timer server target
+SERVER="10.0.0.5"
+
+# double negation :-) see rule (!)
+ONLY_ACCEPT_INTERNAL="10.0.0.0/8"
+
+LOGGING=false
+
+
+
+# logging prefix
+PREFIX="NTP"
+PORT=123
+
+case "$1" in
+ start)
+ # ntp logging
+ if $LOGGING
+ then
+ echo "$PREFIX Logging Enabled ($SERVER)"
+ iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+ fi
+
+ # ntp
+ echo "$PREFIX Catch All Enabled ($SERVER)"
+ iptables -A CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -A CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+
+ iptables -A CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+ iptables -t nat -A CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -A CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+
+ ;;
+ stop)
+ # ntp logging
+ if $LOGGING
+ then
+ echo "$PREFIX Logging Disabled ($SERVER)"
+ iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j LOG --log-prefix ""$PREFIX_ACCEPT_PRIVATE "
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_DROP_EXTERNAL "
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_ACCEPT_INTERNAL "
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j LOG --log-prefix ""$PREFIX_PREROUTE "
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j LOG --log-prefix ""$PREFIX_POSTROUTE "
+ fi
+
+ # ntp
+ echo "$PREFIX Catch All Disabled ($SERVER)"
+ iptables -D CUSTOMFORWARD -p udp --dport $PORT -s $SERVER -j ACCEPT
+ iptables -D CUSTOMFORWARD ! -s $ONLY_ACCEPT_INTERNAL -p udp --dport $PORT -j DROP
+ iptables -D CUSTOMFORWARD ! -s $SERVER -p udp --dport $PORT -j ACCEPT
+ iptables -t nat -D CUSTOMPREROUTING ! -s $SERVER -p udp --dport $PORT -j DNAT --to $SERVER:$PORT
+ iptables -t nat -D CUSTOMPOSTROUTING ! -s $SERVER -p udp --dport $PORT -d $SERVER -j MASQUERADE
+
+ ;;
+ reload)
+ $0 stop
+ $0 start
+ ## add your 'reload' rules here
+
+ ;;
+ flush)
+ iptables -t nat -F CUSTOMPREROUTING
+ iptables -t nat -F CUSTOMPOSTROUTING
+ iptables -F CUSTOMFORWARD
+
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|reload|flush}"
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+
+# backup... tjust in case...
+echo "Backup of firewall.local -> $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local"
+mkdir -p $PWD/data/backups
+cp /etc/sysconfig/firewall.local $PWD/data/backups/firewall.$(date +"%Y_%m_%d_%I_%M_%p_%s").local
+
+# Another backup!
+echo "Backup of firewall.local -> firewall.local.old"
+cp -PL /etc/sysconfig/firewall.local /etc/sysconfig/firewall.local.old
+rm /etc/sysconfig/firewall.local
+
+# Removing rules symbolic link
+echo "Removing IPFire Custom Firewall Rules"
+if [[ -L "/etc/sysconfig/rules.d" ]] ; then
+ rm /etc/sysconfig/rules.d
+fi
+
+echo "Removing IPFire Custom Firewall Rules Looper"
+echo "Restore of $PWD/data/originals/firewall.original /etc/sysconfig/firewall.local"
+cp $PWD/data/originals/firewall.original /etc/sysconfig/firewall.local