From 9e0eb39d1862b4be6b5b23b41129fe3352ad55e2 Mon Sep 17 00:00:00 2001 From: Dustyn Blackmore Date: Thu, 10 May 2018 17:32:01 +1000 Subject: [PATCH] Incomplete New Features In process of adding logging of ongoing connections. Updated rules-base.nft Removed 'ct state estab rel' rule (added in final counters function) Added meta mark captures for logging (may change) Ideally; want to use meta mark flag instead of new queue binding. Updated index.js Properly references configuration files in last change (bug) --- src/config/rules-base.nft | 4 ++-- src/index.js | 37 +++++++++++++++++++++++++++++++------ 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/src/config/rules-base.nft b/src/config/rules-base.nft index 753ff88..7d26f2c 100644 --- a/src/config/rules-base.nft +++ b/src/config/rules-base.nft @@ -5,9 +5,9 @@ table ip filter { type filter hook input priority 0; policy drop; counter; meta mark 666 counter drop comment "NodeJS Rejected"; + meta mark 9999 counter queue num 9999 comment "NodeJS Accepted - LOGGING"; meta mark 999 counter accept comment "NodeJS Accepted"; ct state { invalid, untracked } counter drop; - ct state { established, related } counter accept; counter; } @@ -16,9 +16,9 @@ table ip filter { counter; meta mark 666 counter drop comment "NodeJS Rejected"; meta mark 777 counter reject with icmp type admin-prohibited; + meta mark 9999 counter queue num 9999 comment "NodeJS Accepted - LOGGING"; meta mark 999 counter accept comment "NodeJS Accepted"; ct state { invalid, untracked } counter drop; - ct state { established, related } counter accept; counter; } } diff --git a/src/index.js b/src/index.js index a0c170e..4611a37 100644 --- a/src/index.js +++ b/src/index.js @@ -35,7 +35,7 @@ function checkConfig (err, filename) { switch (filename) { case 'rules.json': console.log('Rules Configuration Changed - Reloding..') - fs.readFile('./src/config/rules.json', 'utf8', (err, data) => { + fs.readFile('./config/rules.json', 'utf8', (err, data) => { if (err) throw err; let newRules = JSON.parse(data); rules = newRules.rules; @@ -43,7 +43,7 @@ function checkConfig (err, filename) { break; case 'interfaces.json': console.log('Interfaces Configuration Changed - Reloding..') - fs.readFile('./src/config/interfaces.json', 'utf8', (err, data) => { + fs.readFile('./config/interfaces.json', 'utf8', (err, data) => { if (err) throw err; let newInterfaces = JSON.parse(data); systemInterfaces = newInterfaces.interfaces; @@ -62,20 +62,24 @@ let packetsRejectedIn = 0; let packetsRejectedOut = 0; // An array to store our interfaces. -let interfaces = [] +let interfaces = []; // Sets base rules, with default to 'drop', but allows established and related connections. function insertFinalCounters () { return Promise.all([ + nft.add('rule ip filter input ct state { established, related } counter accept'), nft.add('rule ip filter input counter'), + nft.add('rule ip filter output ct state { established, related } counter accept'), nft.add('rule ip filter output counter'), ]) } function insertInterfaceRules (interface) { return Promise.all([ - nft.add('rule ip filter input iif ' + interface.name + ' ct state new counter nftrace set 1 queue num ' + interface.number), - nft.add('rule ip filter output oif ' + interface.name + ' ct state new counter nftrace set 1 queue num 100' + interface.number) + nft.add('rule ip filter input iif ' + interface.name + ' ct state new counter nftrace set 1 meta mark set 1234 queue num ' + interface.number), + nft.add('rule ip filter input iif ' + interface.name + ' meta mark 9999 counter queue num 200' + interface.number), + nft.add('rule ip filter output oif ' + interface.name + ' ct state new counter nftrace set 1 meta mark set 1234 queue num 100' + interface.number), + nft.add('rule ip filter output oif ' + interface.name + ' meta mark 9999 counter queue num 210' + interface.number) ]); } @@ -210,6 +214,16 @@ function bindQueueHandlers () { } }); + interface.queueInLog = nfq.createQueueHandler(parseInt('200' + interface.number), buffer, (nfpacket) => { + let decoded = new IPv4().decode(nfpacket.payload, 0); + let stringified = nfpacket.payload.toString(); + let clonedPacket = Object.assign({}, nfpacket, { payloadDecoded: decoded, payloadStringified: stringified }); + + handleActions(rules['incoming'][packet.payloadDecoded.protocol.toString()][interface.zone].acceptAction, packet); + + nfpacket.setVerdict(NF_ACCEPT, 9999); + }); + interface.queueOut = nfq.createQueueHandler(parseInt('100' + interface.number), buffer, (nfpacket) => { let decoded = new IPv4().decode(nfpacket.payload, 0); let stringified = nfpacket.payload.toString(); @@ -231,7 +245,18 @@ function bindQueueHandlers () { nfpacket.setVerdict(NF_REQUEUE, 999); } }); - }) + + interfaceLoggerQueueOut = nfq.createQueueHandler(parseInt('210' + interface.number), buffer, (nfpacket) => { + let decoded = new IPv4().decode(nfpacket.payload, 0); + let stringified = nfpacket.payload.toString(); + let clonedPacket = Object.assign({}, nfpacket, { payloadDecoded: decoded, payloadStringified: stringified }); + + handleActions(rules['ougoing'][packet.payloadDecoded.protocol.toString()][interface.zone].acceptAction, packet); + + nfpacket.setVerdict(NF_ACCEPT, 9999); + }); + + }); } console.log('Flushing rules...');