Added (untested) firewall block when IP addresses are blacklisted

If the configuration variable 'firewall_blacklist_destination' is set, it will insert DROP rules when a blacklisted IP address is attempted. Feature not tested yet.
author: David Sommerseth <dazo@users.sourceforge.net> 2008-10-21 17:03:09 +0200
committer: David Sommerseth <dazo@users.sourceforge.net> 2008-10-21 17:03:09 +0200
commit: 1a9355f84232b835654de0a1088ea88de027d0a9 (patch)
tree: f8755083983da5651f68e6e345fc9cd39c2ffa5e /plugin/firewall
parent: 0ea1a3e2e6a10300388e01ac89504abe3624ae56 (diff)
download: eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.tar.gz
eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.tar.xz
eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.zip
3 files changed, 52 insertions, 11 deletions
diff --git a/plugin/firewall/eurephiafw.c b/plugin/firewall/eurephiafw.c
index 9fed02e..4df4459 100644
--- a/plugin/firewall/eurephiafw.c
+++ b/plugin/firewall/eurephiafw.c
@@ -132,6 +132,12 @@ void eFW_StartFirewall(eurephiaCTX *ctx) {
                 eurephia_log(ctx, LOG_INFO, 1, "Using '%s' as firewall rule for VPN accesses", fwdest);
         }
 
+        ctx->fwcfg->fwblacklist = eGet_value(ctx->dbc->config, "firewall_blacklist_destination");
+        if( ctx->fwcfg->fwblacklist != NULL ) {
+                eurephia_log(ctx, LOG_INFO, 1,
+                             "Blacklisted IP addresses will also be blocked in '%s'",
+                             ctx->fwcfg->fwblacklist);
+        }
         eurephia_log(ctx, LOG_INFO, 3, "Starting eurephia firewall interface");
 
         // Setup semaphores we need
@@ -254,7 +260,7 @@ void eFW_StopFirewall(eurephiaCTX *ctx) {
 
 
 int eFW_UpdateFirewall(eurephiaCTX *ctx, int mode,
-                       const char *macaddr, const char *fwdest, const char *fwprofile) {
+                       const char *addr, const char *fwdest, const char *fwprofile) {
         char buf[1026];
 
         if( (*ctx->fwcfg).thrdata.fw_command == NULL ) {
@@ -267,22 +273,29 @@ int eFW_UpdateFirewall(eurephiaCTX *ctx, int mode,
         switch( mode ) {
         case FWRULE_ADD:
                 eurephia_log(ctx, LOG_INFO, 3, "Function call: eFW_UpdateFirewall(ctx, %s, '%s', '%s', '%s')",
-                             "ADD", macaddr, fwdest, fwprofile);
-                snprintf(buf, 1024, "A %s %s %s", macaddr, fwdest, fwprofile);
+                             "ADD", addr, fwdest, fwprofile);
+                snprintf(buf, 1024, "A %s %s %s", addr, fwdest, fwprofile);
                 mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1);
                 return 1;
 
         case FWRULE_DELETE:
                 eurephia_log(ctx, LOG_INFO, 3, "Function call: eFW_UpdateFirewall(ctx, %s, '%s', '%s', '%s')",
-                             "DELETE", macaddr, fwdest, fwprofile);
-                snprintf(buf, 1024, "D %s %s %s", macaddr, fwdest, fwprofile);
+                             "DELETE", addr, fwdest, fwprofile);
+                snprintf(buf, 1024, "D %s %s %s", addr, fwdest, fwprofile);
+                mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1);
+                return 1;
+
+        case FWRULE_BLACKLIST:
+                eurephia_log(ctx, LOG_INFO, 3, "Function call: eFW_UpdateFirewall(ctx, %s, '%s','%s', NULL)",
+                             "BLACKLIST", addr, fwdest);
+                snprintf(buf, 1024, "B %s %s", addr, fwdest);
                 mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1);
                 return 1;
 
         default:
                 eurephia_log(ctx, LOG_CRITICAL, 0,
                              "Function call: eFW_UpdateFirewall(ctx, %s, '%s') - UNKNOWN MODE", "(unknown)",
-                             macaddr);
+                             addr);
                 return 0;
         }
 }
diff --git a/plugin/firewall/eurephiafw.h b/plugin/firewall/eurephiafw.h
index 0c82b30..9beee4d 100644
--- a/plugin/firewall/eurephiafw.h
+++ b/plugin/firewall/eurephiafw.h
@@ -23,6 +23,7 @@
 
 #define FWRULE_ADD 0x101
 #define FWRULE_DELETE 0x102
+#define FWRULE_BLACKLIST 0x103
 
 int eFW_load(eurephiaCTX *ctx, const char *intf);
 int eFW_unload(eurephiaCTX *ctx);
diff --git a/plugin/firewall/iptables/efw_iptables.c b/plugin/firewall/iptables/efw_iptables.c
index 9e0aaa4..f62f059 100644
--- a/plugin/firewall/iptables/efw_iptables.c
+++ b/plugin/firewall/iptables/efw_iptables.c
@@ -98,7 +98,7 @@ void eFW_RunFirewall(void *fwargs) {
 
 
 int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) {
-        char mode[3], *macaddr = NULL, *destchain = NULL, *jump = NULL;
+        char mode[3], *addr = NULL, *destchain = NULL, *jump = NULL;
         char *msg = NULL, *orig_msg = NULL;
         char *iptables_args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL};
 	int ret = 0;
@@ -121,10 +121,10 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) {
         case 'A':
         case 'D':
 	        iptables_args[1] = mode;
-                macaddr = msg;   // start of string for macaddr
+                addr = msg;   // start of string for macaddr
 
                 // Search for end of macaddr and NULL terminate it
-                destchain = macaddr+1;
+                destchain = addr+1;
                 while( (*destchain != 0x20) || (*destchain == 0) ) {
                         destchain++;
                 }
@@ -146,7 +146,7 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) {
                 iptables_args[3] = "-m\0";
                 iptables_args[4] = "mac\0";
                 iptables_args[5] = "--mac-source\0";
-                iptables_args[6] = macaddr;
+                iptables_args[6] = addr;
                 iptables_args[7] = "-m\0";
                 iptables_args[8] = "state\0";
                 iptables_args[9] = "--state\0";
@@ -157,7 +157,34 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) {
 
                 eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules "
                              "==> mode: %s  macaddr: '%s'  destchain: '%s'  jump: '%s'",
-                             (mode[1] == 'A' ? "ADD":"DELETE"), macaddr, destchain, jump);
+                             (mode[1] == 'A' ? "ADD":"DELETE"), addr, destchain, jump);
+                ret = call_iptables(ctx, fwcmd, iptables_args);
+                break;
+
+        case 'B':
+                addr = msg; // start of string for IP address to block
+
+                // Search for end of IP address and NULL terminate it
+                destchain = addr+1;
+                while( (*destchain != 0x20) || (*destchain == 0) ) {
+                        destchain++;
+                }
+                if( *destchain == 0 ) {
+                        return 0;
+                }
+                *destchain = 0; // end of string for IP address
+                destchain++;    // start of string for destchain
+
+                iptables_args[1] = "-A\0";
+                iptables_args[2] = destchain;
+                iptables_args[3] = "-s\0";
+                iptables_args[4] = addr;
+                iptables_args[5] = "-j\0";
+                iptables_args[6] = "DROP\0";
+                iptables_args[7] = NULL;
+
+                eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules "
+                             "==> mode: BLACKLIST  destchain: '%s'  IP address: %s", destchain, addr);
 		ret = call_iptables(ctx, fwcmd, iptables_args);
                 break;
author	David Sommerseth <dazo@users.sourceforge.net>	2008-10-21 17:03:09 +0200
committer	David Sommerseth <dazo@users.sourceforge.net>	2008-10-21 17:03:09 +0200
commit	1a9355f84232b835654de0a1088ea88de027d0a9 (patch)
tree	f8755083983da5651f68e6e345fc9cd39c2ffa5e /plugin/firewall
parent	0ea1a3e2e6a10300388e01ac89504abe3624ae56 (diff)
download	eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.tar.gz eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.tar.xz eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.zip