You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fw-daemon/sgfw/iptables.go

53 lines
1.6 KiB

package sgfw
import (
"fmt"
"os"
"os/exec"
"strings"
)
const iptablesRule = "OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass"
const realmsRule = "FORWARD -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass"
const dnsRule2 = "FORWARD --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass"
const dnsRule = "INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass"
//const logRule = "OUTPUT --protocol tcp -m mark --mark 1 -j LOG"
const blockRule = "OUTPUT --protocol tcp -m mark --mark 1 -j REJECT"
const blockRule2 = "FORWARD --protocol tcp -m mark --mark 1 -j REJECT"
func setupIPTables() {
// addIPTRules(iptablesRule, dnsRule, logRule, blockRule)
// addIPTRules(iptablesRule, realmsRule, dnsRule, dnsRule2, blockRule,blockRule2)
//addIPTRules(iptablesRule, realmsRule, dnsRule, blockRule)
addIPTRules(iptablesRule, realmsRule, dnsRule, dnsRule2, blockRule,blockRule2)
}
func addIPTRules(rules ...string) {
for _, r := range rules {
if iptables('C', r) {
log.Infof("IPTables rule already present: %s", r)
} else {
log.Infof("Installing IPTables rule: %s", r)
iptables('I', r)
}
}
}
func iptables(verb rune, rule string) bool {
iptablesPath, err := exec.LookPath("iptables")
if err != nil {
log.Warning("Could not find iptables binary in path")
os.Exit(1)
}
argLine := fmt.Sprintf("-%c %s", verb, rule)
args := strings.Fields(argLine)
cmd := exec.Command(iptablesPath, args...)
_, err = cmd.CombinedOutput()
_, exitErr := err.(*exec.ExitError)
if err != nil && !exitErr {
log.Warningf("Error running iptables: %v", err)
}
return !exitErr
}