Forcing all DNS traffic from the LAN to the firewall

neutron_head · 17 November 2020 04:08

I have been testing Jon @jon setup from post #65. Looks like it works, both the NTP and DNS preroutes. Thanks for the command in post 96 via Andreas @troll-op. Allowed me to also probe NTP rules. Device 192.168.10.5 is configured to get NTP from firewall 192.168.10.1, but device 192.168.10.151 (which i thought I had manually configured to use the firewall for NTP) is redirected to firewall, at least according to this output:

    [NEW] udp      17 30 src=192.168.10.5 dst=192.168.10.1 sport=123 dport=123 [UNREPLIED] src=192.168.10.1 dst=192.168.10.5 sport=123 dport=123
 [UPDATE] udp      17 30 src=192.168.10.5 dst=192.168.10.1 sport=123 dport=123 src=192.168.10.1 dst=192.168.10.5 sport=123 dport=123
    [NEW] udp      17 30 src=192.168.10.151 dst=137.190.2.4 sport=34816 dport=123 [UNREPLIED] src=192.168.10.1 dst=192.168.10.151 sport=123 dport=34816
 [UPDATE] udp      17 30 src=192.168.10.151 dst=137.190.2.4 sport=34816 dport=123 src=192.168.10.1 dst=192.168.10.151 sport=123 dport=34816

So far looking good

P

hvacguy · 18 November 2020 00:05

Not allowed to use 8.8.8.8 not in my Domain Name Systen.
Is this working?

Do I need firewall rule too?
Looks like it’s not loading or not started.
Used nano easier than Vi.

Make the firewall.local executable:

chmod +x /etc/sysconfig/firewall.local

If running the first time enter:

/etc/sysconfig/firewall.local start

Perhaps upnpd is to blame.? will test latter.
Edited miniupnpd,conf to ports above 1024 and port 88
Do I need to change the default fire wall policy to block first?

trixwood · 15 April 2021 14:34

What do you add, when the dns server is not ipfire itself, but another server in the green zone?

cbrown · 15 April 2021 16:26

You can specify DNS servers, NTP Servers and WINS Servers for your Green zone (and/or Blue zone) nodes via the Network → DHCP configuration web page in the WUI

trixwood · 16 April 2021 11:33

Let me refine, NTP, DHCP, DNS are all separate servers located in the green zone. Not running on the ipfire box itself. DHCP because it easier to configure and maintained with the custom forefront/scripts already created. NTP because it a Stratum-1 server. With fail-over servers, etc… Servers which are working, upgraded and maintained for at least a decade. That I can’t migrate to the ipfire box without breaking things and undercut functionality. NTP for example is stratum 1, etc…

So how do I redirect all the traffic for DNS and NTP request instead as explained above to those servers instead of the ipfire box itself.

bbitsch · 16 April 2021 12:33

That case is a bit more complicated.
IPFire structure uses the DHCP config to do ‘automatic’ tasks.
This config knows about NTP and DNS ( with wpad also about the proxy ). So these informations can be used by the firewall scripts.
If DNS and NTP servers are not in IPFire itself, you must use DNAT. REDIRECT routes to IPFire.
For a quick info see Iptables REDIRECT vs. DNAT vs. TPROXY – What I've learned during GSoC – Here I describe what I've learned during contributing to the netfilter project during my GSoC participation in 2018 hoping that it will help others looking for hard-to find information. ( almost cited by @mfischer above).

jon · 30 May 2022 03:45

Fixed!

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=21b37391f9769718df7bd726453140f4ec8ff1c0