Creating, editing, removing rules from C(++)

Creating, editing, removing rules from C(++)

[Thomas Delrue]

[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

Hi,

Is there a way to interact with the firewall rules from a C(++) program?
What I'm really trying to do is have a program that only allows a
certain set of CIDRs through the firewall through a particular port.
However these CIDRs change from time to time and so my application is
there to update the firewall rules to make sure that the firewall rules
contain the latest and greatest information that says: "drop everything
trying to connect to port P EXCEPT for stuff originating from these CIDRs".

The information I've found so far seems to indicate I should look at
libnftnl and nftables but I'm not sure this is right.
Can you point me to the documentation for this? I've been looking online
for information on how to do this but haven't found anything really.

Thanks,
Thomas


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Creating, editing, removing rules from C(++)

[alvin]

hi thomas

> Is there a way to interact with the firewall rules from a C(++) program?
> What I'm really trying to do is have a program that only allows a
> certain set of CIDRs through the firewall through a particular port.
> However these CIDRs change from time to time and so my application is
> there to update the firewall rules to make sure that the firewall rules
> contain the latest and greatest information that says: "drop everything
> trying to connect to port P EXCEPT for stuff originating from these CIDRs=
> ".

yes, i update iptables rules randomly and on the fly

iptables recent module did not do what i wanted so i wrote the 
add or delete iptables rules in C

it has a command line interface or web pages with cgi-bin 

modifying iptables rules from apache requires visudo to 
allow apache to modify iptable rules which is kinda dangerous :-)

# eg. add incoming ddos attackers to iptables blacklist
# iptables-gui -autoadd ... 'a.b.c.d|w.x.y.z'

# the corresponding actual iptable rule:
  iptables -I BlackList -p tcp -s a.b.c.d -d myLAN/24 -j TARPIT

# eg. remove inactive ddos attacks from the blacklist
# iptables-gui -autodelete ... w.x.y.z

# the corresponding actual iptable rule:
  iptables -D BlackList -p tcp -s a.b.c.d -d myLAN/24 -j TARPIT

- online demo:  http://DDoS-Mitigator.net/cgi-bin/IPtables-GUI.pl

have fun
alvin

> The information I've found so far seems to indicate I should look at
> libnftnl and nftables but I'm not sure this is right.
> Can you point me to the documentation for this? I've been looking online
> for information on how to do this but haven't found anything really.
> 
> Thanks,
> Thomas

Re: Creating, editing, removing rules from C(++)

[Neal P. Murphy]

On Tue, 21 Jul 2015 17:41:26 -0400
Thomas Delrue <thomas.delrue@fundamental-software.net> wrote:

> Hi,
> 
> Is there a way to interact with the firewall rules from a C(++) program?
> What I'm really trying to do is have a program that only allows a
> certain set of CIDRs through the firewall through a particular port.
> However these CIDRs change from time to time and so my application is
> there to update the firewall rules to make sure that the firewall rules
> contain the latest and greatest information that says: "drop everything
> trying to connect to port P EXCEPT for stuff originating from these CIDRs".

It seems in your case that you don't need high performance or high efficiency, so you should be able to use system() to run iptables-restore.

Considering the vagaries of writing a C/C++ program to manipulate netfilter directly (it can be done, but isn't necessarily straightforward and the API can change for various reasons now and again), and considering that your CIDRs only change from time to time, you may find it easier to pipe the changes to iptables-restore.

The idea below is conceptual; it's close but may not be syntactically correct and you may want packet identification to be more solid. It should be enough to point you in the direction of least resistance.

The permanent F/W config might be something like:
----
 ...
-N restrict_1234
-A restrict_1234 -p tcp -m state --state ESTABLISHED \
    -j REJECT --reject-with tcp-reset
-A restrict_1234 \
    -j REJECT --reject-with icmp-admin-prohibited
 ...
-A FORWARD -p tcp -port 1234 -j restrict_1234
-A FORWARD -p udp -port 1234 -j restrict_1234
 ...
----
On firewall setup, the default is to prohibit all conns to port 1234; your daemon will change this when it starts.

When the CIDRs change or when your daemon starts, you could pipe something like the following to iptables-restore:
----
-F restrict_1234
-A restrict_1234 -s CIDR-A -j RETURN
-A restrict_1234 -s CIDR-B -j RETURN
-A restrict_1234 -p tcp -m state --state ESTABLISHED \
    -j REJECT --reject-with tcp-reset
-A restrict_1234 \
    -j REJECT --reject-with icmp-admin-prohibited
----
(I don't remember if iptables-restore reads from STDIN; if not, use a temp intermediate file.) iptables-restore will perform the work atomically. The "-j RETURN" allows your remaining rules to handle the conn; it might not be wise to ACCEPT packets here, but this depends on your firewall design.

You definitely want to reset existing TCP conns; but you can DROP new conn attempts instead of REJECTing them.

One moment, the existing allowed CIDRs are connecting and talking. The next moment, new allowed CIDRs can connect and talk, existing conns from still-allowed CIDRs continue talking, conns from no-longer-allowed CIDRs are immediately disconnected (one side at a time, when the next packet comes in, not one more packet passes through the firewall), and new conn attempts from disallowed CIDRs are rejected. This method works very well when using the time module; one moment the kids are playing their online games and the next moment they are disconnected and cannot reconnect. And it works for TCP and UDP.

You *can* write a C/C++ interface to netfilter. But it's often better, easier, and clearer to use existing utilities. Especially when the task isn't too involved and performance and efficiency aren't all that critical (i.e., "... CIDRs change from time to time..." doesn't seem to require highly efficient code).

N

Re: Creating, editing, removing rules from C(++)

[Sven-Haegar Koch]

On Tue, 21 Jul 2015, Neal P. Murphy wrote:

> On Tue, 21 Jul 2015 17:41:26 -0400
> Thomas Delrue <thomas.delrue@fundamental-software.net> wrote:
> 
> > Is there a way to interact with the firewall rules from a C(++) program?
> > What I'm really trying to do is have a program that only allows a
> > certain set of CIDRs through the firewall through a particular port.
> > However these CIDRs change from time to time and so my application is
> > there to update the firewall rules to make sure that the firewall rules
> > contain the latest and greatest information that says: "drop everything
> > trying to connect to port P EXCEPT for stuff originating from these CIDRs".
> 
> It seems in your case that you don't need high performance or high 
> efficiency, so you should be able to use system() to run 
> iptables-restore.

And in this special case of "set of CIDRs" it even more sounds like a 
job for ipset - setup a static iptables ruleset using iptables-restore, 
and if you need performance modify the list of network ranges in a 
hash-table using libipset.

c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

Re: Creating, editing, removing rules from C(++)

[Neal P. Murphy]

On Wed, 22 Jul 2015 02:08:48 +0200 (CEST)
Sven-Haegar Koch <haegar@sdinet.de> wrote:

> On Tue, 21 Jul 2015, Neal P. Murphy wrote:
> 
> > On Tue, 21 Jul 2015 17:41:26 -0400
> > Thomas Delrue <thomas.delrue@fundamental-software.net> wrote:
> > 
> > > Is there a way to interact with the firewall rules from a C(++) program?
> > > What I'm really trying to do is have a program that only allows a
> > > certain set of CIDRs through the firewall through a particular port.
> > > However these CIDRs change from time to time and so my application is
> > > there to update the firewall rules to make sure that the firewall rules
> > > contain the latest and greatest information that says: "drop everything
> > > trying to connect to port P EXCEPT for stuff originating from these CIDRs".
> > 
> > It seems in your case that you don't need high performance or high 
> > efficiency, so you should be able to use system() to run 
> > iptables-restore.
> 
> And in this special case of "set of CIDRs" it even more sounds like a 
> job for ipset - setup a static iptables ruleset using iptables-restore, 
> and if you need performance modify the list of network ranges in a 
> hash-table using libipset.

Agreed, if the set of CIDRs is large enough.

Re: Creating, editing, removing rules from C(++)

[Thomas Delrue]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is great info, thanks for helping me out, everyone :)

On 07/21/2015 07:15 PM, Neal P. Murphy wrote:
> On Tue, 21 Jul 2015 17:41:26 -0400 Thomas Delrue
> <thomas.delrue@fundamental-software.net> wrote:
> 
>> Hi,
>> 
>> Is there a way to interact with the firewall rules from a C(++)
>> program? What I'm really trying to do is have a program that only
>> allows a certain set of CIDRs through the firewall through a
>> particular port. However these CIDRs change from time to time and
>> so my application is there to update the firewall rules to make
>> sure that the firewall rules contain the latest and greatest
>> information that says: "drop everything trying to connect to port
>> P EXCEPT for stuff originating from these CIDRs".
> 
> It seems in your case that you don't need high performance or high
> efficiency, so you should be able to use system() to run
> iptables-restore.
> 
> Considering the vagaries of writing a C/C++ program to manipulate
> netfilter directly (it can be done, but isn't necessarily
> straightforward and the API can change for various reasons now and
> again), and considering that your CIDRs only change from time to
> time, you may find it easier to pipe the changes to
> iptables-restore.
> 
> The idea below is conceptual; it's close but may not be
> syntactically correct and you may want packet identification to be
> more solid. It should be enough to point you in the direction of
> least resistance.
> 
> The permanent F/W config might be something like: ---- ... -N
> restrict_1234 -A restrict_1234 -p tcp -m state --state ESTABLISHED
> \ -j REJECT --reject-with tcp-reset -A restrict_1234 \ -j REJECT
> --reject-with icmp-admin-prohibited ... -A FORWARD -p tcp -port
> 1234 -j restrict_1234 -A FORWARD -p udp -port 1234 -j
> restrict_1234 ... ---- On firewall setup, the default is to
> prohibit all conns to port 1234; your daemon will change this when
> it starts.
> 
> When the CIDRs change or when your daemon starts, you could pipe
> something like the following to iptables-restore: ---- -F
> restrict_1234 -A restrict_1234 -s CIDR-A -j RETURN -A restrict_1234
> -s CIDR-B -j RETURN -A restrict_1234 -p tcp -m state --state
> ESTABLISHED \ -j REJECT --reject-with tcp-reset -A restrict_1234 \ 
> -j REJECT --reject-with icmp-admin-prohibited ---- (I don't
> remember if iptables-restore reads from STDIN; if not, use a temp
> intermediate file.) iptables-restore will perform the work
> atomically. The "-j RETURN" allows your remaining rules to handle
> the conn; it might not be wise to ACCEPT packets here, but this
> depends on your firewall design.
> 
> You definitely want to reset existing TCP conns; but you can DROP
> new conn attempts instead of REJECTing them.
> 
> One moment, the existing allowed CIDRs are connecting and talking.
> The next moment, new allowed CIDRs can connect and talk, existing
> conns from still-allowed CIDRs continue talking, conns from
> no-longer-allowed CIDRs are immediately disconnected (one side at a
> time, when the next packet comes in, not one more packet passes
> through the firewall), and new conn attempts from disallowed CIDRs
> are rejected. This method works very well when using the time
> module; one moment the kids are playing their online games and the
> next moment they are disconnected and cannot reconnect. And it
> works for TCP and UDP.
> 
> You *can* write a C/C++ interface to netfilter. But it's often
> better, easier, and clearer to use existing utilities. Especially
> when the task isn't too involved and performance and efficiency
> aren't all that critical (i.e., "... CIDRs change from time to
> time..." doesn't seem to require highly efficient code).
> 
> N
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJVr50rAAoJEDZWLDUW2nDQhhMQAMZFIvZfLdIeCrs3KYCWOf0u
aegqzHvjkO3ADcsxy6g6Ln2j4tHhDBF6Ug+RNb0VXDM83o+9MBvatfihM6EkW1r9
LagNU9mtrLmbMDrX6qYTP6XYRDfgmOv5eHIlsDftNmOUw5LbFlahgr73Gzu6Fmr/
J1hJS4xttwxssVkbP3N4nElw8mIR9Bg1XO2modG+NJAAwbmsPs59mqNOJRNEveWX
SlkVrSkaLDUKiEQfjtOfmzj93x6DPB2QIPx2SOEuZUqecJn7w5MtG1Bi808IDGP5
/7rbOJxKrPxos1I0u6iJ5rD7Oa2/JaonSlPElDNCWp/3okFnLf/MGN1k4biW7XBf
dJ41M3p4iWlJMq4GvDCZoGHcscIe7Q8251/ffisiBBnxsoXrgXCcK2JWYK/+Fp/n
gI8k31Y6CpCdsGfxjG++E0rKwFAzcor71G+qvUUv6SpMuzLzJIVhJj4MWmvbh/NI
vw1qaKXy1yCqCQ16E5JkPhKgZlIk+9ldGME5xLsFepf78hSeYsjdLpG4raMxQjm1
Qfg6bSpgPT0M/Vt/kME/+um+KiQuBzqmptZwNM8iHhGEgex++QKUH87Q5KCCdZhL
WIOXpuMwBdSoqp3xjYWSvm96d7nfQ8egTvnlgdP7iHTuLUam1Jh5bSdlAB9opFzq
iN58tScU2TgilZHZPMis
=gRY6
-----END PGP SIGNATURE-----

Re: Creating, editing, removing rules from C(++)

[alvin]

hi thomas

On Tue, Jul 21, 2015 at 06:44:43PM -0400, Thomas Delrue wrote:
> Thank you for replying!
...
> On 07/21/2015 06:30 PM, alvin wrote:
...
> > # eg. add incoming ddos attackers to iptables blacklist
> > # iptables-gui -autoadd ... 'a.b.c.d|w.x.y.z'
> >
> > # the corresponding actual iptable rule:
> >   iptables -I BlackList -p tcp -s a.b.c.d -d myLAN/24 -j TARPIT
> 
> This is exactly the kind of thing that I would like to do
> Is the source for iptables-gui open source? 

it is not open source :-)

the idea is simple:
- ( tcpdump or any sniffer | cleanup and extract > traffic.data.txt ) &
--- iptables-gui need to sort the traffic data and insert or delete
--- incoming IP# of the DDoS at the right rule# in iptables chains
- crontab# iptables-gui -add or -delete

> Can you point me to it or to
> the documentation/resources you used to write this application.

#
# i assume ( require ) certain set or sequence of iptables rules
# and list of the other people's IPtables howto 
#
http://iptables-blacklist.net/Howto/

------

Neil murphy's idea of using iptables-restore is a good idea too
for add/deleting CIDRs that changes infrequently 

iptables-save -c > /tmp/iptables.txt

sed -e s/a.b.c.d/w.x.y.z/g < /tmp/iptables.txt > /tmp/iptables.new.txt

iptables-restore -c < /tmp/iptables.new.txt

#
# you'd need to verify save and restore works ... it didn't work
# for me when i tested on debian-testing, slackware-14.x, redhat variants
#
# save/restore seems to work on most all versions of OpenSuSE
# and rolling updates worked across 4 major patch levels from
# 11.x - 12.x - 13.x - factory
#
# i needed iptables rules to be independent of the distro's syntax
#

> # eg. remove inactive ddos attacks from the blacklist
> > # iptables-gui -autodelete ... w.x.y.z
> > 
> > # the corresponding actual iptable rule:
> >   iptables -D BlackList -p tcp -s a.b.c.d -d myLAN/24 -j TARPIT
> 
> Yep, this also is exactly what I'm trying to do
 
have fun
alvin
http://DDoS-Mitigator.net

Re: Creating, editing, removing rules from C(++)

[Bastian Bittorf]

* Thomas Delrue <thomas.delrue@fundamental-software.net> [26.07.2015 16:41]:
> Is there a way to interact with the firewall rules from a C(++) program?

http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5

i you still insist, you can e.g. read the source of:
git://nbd.name/firewall3.git

bye, bastian