public override void OnUpdateIps()
{
if (m_activated == false)
{
return;
}
IpAddresses ipsWhiteListOutgoing = GetIpsWhiteListOutgoing(true); // ClodoTemp: can be 'false', but pinger don't work
string currentIpsWhiteListOutgoing = "";
foreach (IpAddress ip in ipsWhiteListOutgoing.IPs)
{
if (currentIpsWhiteListOutgoing != "")
{
currentIpsWhiteListOutgoing += ",";
}
currentIpsWhiteListOutgoing += ip.ToCIDR();
}
if (currentIpsWhiteListOutgoing != m_lastestIpsWhiteListOutgoing)
{
if (m_lastestIpsWhiteListOutgoing != "")
{
SystemShell.ShellCmd("netsh advfirewall firewall set rule name=\"Eddie - Out - Allow IPs\" dir=out new action=allow remoteip=\"" + currentIpsWhiteListOutgoing + "\"");
}
else
{
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - Allow IPs\" dir=out action=allow remoteip=\"" + currentIpsWhiteListOutgoing + "\"");
}
m_lastestIpsWhiteListOutgoing = currentIpsWhiteListOutgoing;
}
}
public override void OnUpdateIps()
{
if (m_activated == false)
{
return;
}
IpAddresses ipsFirewalled = GetAllIps(true); // ClodoTemp: can be 'false', but pinger don't work
string ipList = "";
foreach (IpAddress ip in ipsFirewalled.IPs)
{
if (ipList != "")
{
ipList += ",";
}
ipList += ip.ToCIDR();
}
if (ipList != m_lastestIpList)
{
if (m_lastestIpList != "")
{
SystemShell.ShellCmd("netsh advfirewall firewall set rule name=\"Eddie - Out - AllowAirIPS\" dir=out new action=allow remoteip=\"" + ipList + "\"");
}
else
{
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - AllowAirIPS\" dir=out action=allow remoteip=\"" + ipList + "\"");
}
m_lastestIpList = ipList;
}
}
public override void DeallowProgram(string path, string name, string guid)
{
base.DeallowProgram(path, name, guid);
if (path == Software.GetTool("curl").Path)
{
return;
}
SystemShell.ShellCmd("netsh advfirewall firewall delete rule name=\"Eddie - Out - AllowProgram - " + guid + "\"");
}
public override void Deactivation()
{
base.Deactivation();
// IPv4
string rulesBackupSessionV4 = GetBackupPath("4");
if (Platform.Instance.FileExists(rulesBackupSessionV4))
{
/* // Removed in 2.17 // TOCLEAN
* // Flush
* DoIptablesShell("iptables", "-P INPUT ACCEPT");
* DoIptablesShell("iptables", "-P FORWARD ACCEPT");
* DoIptablesShell("iptables", "-P OUTPUT ACCEPT");
* DoIptablesShell("iptables", "-t nat -F", false);
* DoIptablesShell("iptables", "-t mangle -F", false);
* DoIptablesShell("iptables", "-F");
* DoIptablesShell("iptables", "-X");
*/
// Restore backup - Exception: ShellCmd because ip6tables-restore accept only stdin
SystemShell.ShellCmd(Platform.Instance.LocateExecutable("iptables-restore") + " <\"" + SystemShell.EscapePath(rulesBackupSessionV4) + "\"");
Platform.Instance.FileDelete(rulesBackupSessionV4);
}
// IPv6
string rulesBackupSessionV6 = GetBackupPath("6");
if (Platform.Instance.FileExists(rulesBackupSessionV6))
{
/* // Removed in 2.17 // TOCLEAN
* // Flush
* DoIptablesShell("ip6tables", "-P INPUT ACCEPT");
* DoIptablesShell("ip6tables", "-P FORWARD ACCEPT");
* DoIptablesShell("ip6tables", "-P OUTPUT ACCEPT");
* DoIptablesShell("ip6tables", "-t nat -F", false);
* DoIptablesShell("ip6tables", "-t mangle -F", false);
* DoIptablesShell("ip6tables", "-F");
* DoIptablesShell("ip6tables", "-X");
*/
// Restore backup - Exception: ShellCmd because ip6tables-restore accept only stdin
SystemShell.ShellCmd(Platform.Instance.LocateExecutable("ip6tables-restore") + " <\"" + SystemShell.EscapePath(rulesBackupSessionV6) + "\"");
Platform.Instance.FileDelete(rulesBackupSessionV6);
}
// IPS
m_ipsWhiteListOutgoing.Clear();
}
public override void AllowProgram(string path, string name, string guid)
{
base.AllowProgram(path, name, guid);
if (path == Software.GetTool("curl").Path)
{
return;
}
// Windows Firewall don't work with logical path (a path that contain hardlink)
string physicalPath = Platform.Instance.FileGetPhysicalPath(path);
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - AllowProgram - " + guid + "\" dir=out action=allow program=\"" + SystemShell.EscapePath(physicalPath) + "\" enable=yes");
}
public override void RouteAdd(RouteEntry r)
{
string cmd = "route add";
cmd += " -net " + r.Address.Address;
cmd += " netmask " + r.Mask.Address;
cmd += " gw " + r.Gateway.Address;
if (r.Metrics != "")
{
cmd += " metric " + r.Metrics;
}
if ((r.Mss != "") && (r.Mss != "0"))
{
cmd += " mss " + r.Mss;
}
if ((r.Window != "") && (r.Window != "0"))
{
cmd += " window " + r.Window;
}
if (r.Irtt != "")
{
cmd += " irtt " + r.Irtt;
}
if (r.Flags.Contains("!"))
{
cmd += " reject";
}
if (r.Flags.Contains("M"))
{
cmd += " mod";
}
if (r.Flags.Contains("D"))
{
cmd += " dyn";
}
if (r.Flags.Contains("R"))
{
cmd += " reinstate";
}
if (r.Interface != "")
{
cmd += " dev " + r.Interface;
}
SystemShell.ShellCmd(cmd); // IJTF2 // TOCHECK
}
public override void RouteRemove(RouteEntry r)
{
string cmd = "route del";
cmd += " -net " + r.Address.Address;
cmd += " gw " + r.Gateway.Address;
cmd += " netmask " + r.Mask.Address;
/*
* if(r.Metrics != "")
* cmd += " metric " + r.Metrics;
*/
if (r.Interface != "")
{
cmd += " dev " + r.Interface;
}
SystemShell.ShellCmd(cmd); // IJTF2 // TOCHECK
}
public override void Deactivation()
{
base.Deactivation();
foreach (NetworkLockWindowsFirewallProfile profile in Profiles)
{
profile.RestorePolicy();
}
// Not need, already restored in after import
// Exec("netsh advfirewall firewall delete rule name=\"Eddie - In - AllowLocal\"");
// Exec("netsh advfirewall firewall delete rule name=\"Eddie - Out - AllowLocal\"");
// Exec("netsh advfirewall firewall delete rule name=\"Eddie - Out - AllowVPN\"");
// Exec("netsh advfirewall firewall delete rule name=\"Eddie - Out - AllowAirIPS\"");
// Exec("netsh advfirewall firewall delete rule name=\"Eddie - Out - DHCP\"");
// >2.9.1 edition
{
string rulesBackupSession = Engine.Instance.Storage.GetPathInData("winfirewall_rules_backup.wfw");
if (Platform.Instance.FileExists(rulesBackupSession))
{
SystemShell.ShellCmd("netsh advfirewall import \"" + SystemShell.EscapePath(rulesBackupSession) + "\"");
Platform.Instance.FileDelete(rulesBackupSession);
}
}
// Old <2.8 edition
{
string rulesBackupSession = Engine.Instance.Storage.GetPathInData("winfirewallrules.wfw");
if (Platform.Instance.FileExists(rulesBackupSession))
{
SystemShell.ShellCmd("netsh advfirewall import \"" + SystemShell.EscapePath(rulesBackupSession) + "\"");
Platform.Instance.FileDelete(rulesBackupSession);
}
}
// Old 2.9.0 edition, recover
{
string rulesBackupSession = Environment.SystemDirectory + Platform.Instance.DirSep + "winfirewall_rules_original.airvpn";
if (Platform.Instance.FileExists(rulesBackupSession))
{
SystemShell.ShellCmd("netsh advfirewall import \"" + SystemShell.EscapePath(rulesBackupSession) + "\"");
Platform.Instance.FileDelete(rulesBackupSession);
}
}
foreach (NetworkLockWindowsFirewallProfile profile in Profiles)
{
if (profile.State == false)
{
profile.StateOff();
}
// <2.11 Not need, already restored in below import
// >=2.11 Restored, otherwise are not correctly restored in nt-domain environment.
if (profile.Notifications == true)
{
profile.NotifyOn();
}
}
// Service
if (m_serviceStatus == false)
{
ServiceController service = null;
try
{
service = new ServiceController("MpsSvc");
TimeSpan timeout = TimeSpan.FromMilliseconds(30000);
service.Stop();
service.WaitForStatus(ServiceControllerStatus.Stopped, timeout);
}
finally
{
if (service != null)
{
service.Dispose();
}
}
}
m_lastestIpsWhiteListOutgoing = "";
}
public override void Activation()
{
base.Activation();
// Service
{
ServiceController service = null;
try
{
service = new ServiceController("MpsSvc");
m_serviceStatus = (service.Status == ServiceControllerStatus.Running);
if (m_serviceStatus == false)
{
TimeSpan timeout = TimeSpan.FromMilliseconds(10000);
service.Start();
service.WaitForStatus(ServiceControllerStatus.Running, timeout);
}
}
catch (Exception e)
{
if (e.Message.Contains("MpsSvc"))
{
throw new Exception(Messages.NetworkLockWindowsFirewallUnableToStartService);
}
else
{
throw e;
}
}
finally
{
if (service != null)
{
service.Dispose();
}
}
}
// If 'winfirewall_rules_original.airvpn' doesn't exists, create it. It's a general backup of the first time.
// We create this kind of file in Windows System directory, because it's system critical data, and to allow it to survive between re-installation of the software.
string rulesBackupFirstTime = Engine.Instance.Storage.GetPathInData("winfirewall_rules_original.wfw");
if (Platform.Instance.FileExists(rulesBackupFirstTime) == false)
{
SystemShell.ShellCmd("netsh advfirewall export \"" + SystemShell.EscapePath(rulesBackupFirstTime) + "\"");
}
string rulesBackupSession = Engine.Instance.Storage.GetPathInData("winfirewall_rules_backup.wfw");
if (Platform.Instance.FileExists(rulesBackupSession))
{
Platform.Instance.FileDelete(rulesBackupSession);
}
SystemShell.ShellCmd("netsh advfirewall export \"" + SystemShell.EscapePath(rulesBackupSession) + "\"");
if (Platform.Instance.FileExists(rulesBackupSession) == false)
{
throw new Exception(Messages.NetworkLockWindowsFirewallBackupFailed);
}
foreach (NetworkLockWindowsFirewallProfile profile in Profiles)
{
profile.Fetch();
}
foreach (NetworkLockWindowsFirewallProfile profile in Profiles)
{
if (profile.State == false)
{
profile.StateOn();
}
/*
* if (profile.Notifications == true)
* {
* profile.NotifyOff();
* }
*/
}
// Disable all notifications
SystemShell.ShellCmd("netsh advfirewall set allprofiles settings inboundusernotification disable");
SystemShell.ShellCmd("netsh advfirewall firewall delete rule name=all");
// Windows Firewall don't work with logical path (a path that contain hardlink)
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - Program Eddie\" dir=out action=allow program=\"" + SystemShell.EscapePath(Platform.Instance.FileGetPhysicalPath(Platform.Instance.GetExecutablePath())) + "\" enable=yes");
// Adding rules are slow, so force at least curl
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - Program curl\" dir=out action=allow program=\"" + SystemShell.EscapePath(Platform.Instance.FileGetPhysicalPath(Software.GetTool("curl").Path)) + "\" enable=yes");
if (Engine.Instance.Storage.GetBool("netlock.allow_ping") == true)
{
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - In - ICMP IPv4\" dir=in action=allow protocol=icmpv4:8,any");
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - In - ICMP IPv6\" dir=in action=allow protocol=icmpv6:8,any");
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - ICMP IPv4\" dir=out action=allow protocol=icmpv4:8,any");
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - ICMP IPv6\" dir=out action=allow protocol=icmpv6:8,any");
}
// Exec("netsh advfirewall firewall add rule name=\"Eddie - IPv6 Block - Low\" dir=out remoteip=0000::/1 action=allow");
// Exec("netsh advfirewall firewall add rule name=\"Eddie - IPv6 Block - High\" dir=out remoteip=8000::/1 action=allow");
if (Engine.Instance.Storage.GetBool("netlock.allow_private") == true)
{
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - In - AllowLocal\" dir=in action=allow remoteip=LocalSubnet");
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - AllowLocal\" dir=out action=allow remoteip=LocalSubnet");
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - AllowMulticast\" dir=out action=allow remoteip=224.0.0.0/24");
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - AllowSimpleServiceDiscoveryProtocol\" dir=out action=allow remoteip=239.255.255.250/32");
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - ServiceLocationProtocol\" dir=out action=allow remoteip=239.255.255.253/32");
}
// This is not optimal, it maybe also allow LAN traffic, but we can't find a better alternative (interfacetype=ras don't work) and WinFirewall method must be deprecated.
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - In - AllowVPN\" dir=in action=allow localip=10.0.0.0/8");
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - AllowVPN\" dir=out action=allow localip=10.0.0.0/8");
// Without this, Windows stay in 'Identifying network...' and OpenVPN in 'Waiting TUN to come up'.
SystemShell.ShellCmd("netsh advfirewall firewall add rule name=\"Eddie - Out - DHCP\" dir=out action=allow protocol=UDP localport=68 remoteport=67 program=\"%SystemRoot%\\system32\\svchost.exe\" service=\"dhcp\"");
string cmd = "netsh advfirewall set allprofiles firewallpolicy ";
if (Engine.Instance.Storage.Get("netlock.incoming") == "allow")
{
cmd += "allowinbound";
}
else
{
cmd += "blockinbound";
}
cmd += ",";
if (Engine.Instance.Storage.Get("netlock.outgoing") == "allow")
{
cmd += "allowoutbound";
}
else
{
cmd += "blockoutbound";
}
SystemShell.ShellCmd(cmd);
m_activated = true; // To avoid OnUpdateIps before this moment
OnUpdateIps();
}
public void RestorePolicy()
{
SystemShell.ShellCmd("netsh advfirewall set " + UtilsString.StringSafe(id) + " firewallpolicy " + Inbound + "," + Outbound);
}
public void NotifyOff()
{
//Registry.SetValue(GetNotificationRegPath(), "DisableNotifications", 1, RegistryValueKind.DWord);
//Platform.Instance.ShellCmd("netsh firewall set notifications mode=disable profile=" + GetOldFirewallProfileName());
SystemShell.ShellCmd("netsh advfirewall set " + UtilsString.StringSafe(id) + " settings inboundusernotification disable");
}
public void StateOff()
{
SystemShell.ShellCmd("netsh advfirewall set " + UtilsString.StringSafe(id) + " state off");
}
public override void Activation()
{
base.Activation();
string rulesBackupSessionV4 = GetBackupPath("4");
string rulesBackupSessionV6 = GetBackupPath("6");
try
{
if ((Platform.Instance.FileExists(rulesBackupSessionV4)) || (Platform.Instance.FileExists(rulesBackupSessionV6)))
{
throw new Exception(Messages.NetworkLockLinuxUnexpectedAlreadyActive);
}
// IPv4 assumed, if not available, will throw a fatal exception.
// IPv6 Test
{
SystemShell s = new SystemShell();
s.Path = Platform.Instance.LocateExecutable("ip6tables");
s.Arguments.Add("-L");
m_supportIPv6 = s.Run();
if (m_supportIPv6 == false)
{
Engine.Instance.Logs.Log(LogType.Verbose, Messages.NetworkLockLinuxIPv6NotAvailable);
}
}
if (m_supportIPv4)
{
// IPv4 - Backup
Platform.Instance.FileContentsWriteText(rulesBackupSessionV4, DoIptablesShell("iptables-save", ""), Encoding.ASCII);
}
if (m_supportIPv6)
{
// IPv6 - Backup
Platform.Instance.FileContentsWriteText(rulesBackupSessionV6, DoIptablesShell("ip6tables-save", ""), Encoding.ASCII);
}
/* // Version <2.17
* // Flush
* if(true)
* {
* if (m_supportIPv4)
* {
* DoIptablesShell("iptables", "-P INPUT ACCEPT");
* DoIptablesShell("iptables", "-P FORWARD ACCEPT");
* DoIptablesShell("iptables", "-P OUTPUT ACCEPT");
* DoIptablesShell("iptables", "-t nat -F", false);
* DoIptablesShell("iptables", "-t mangle -F", false);
* DoIptablesShell("iptables", "-F");
* DoIptablesShell("iptables", "-X");
* }
*
* if (m_supportIPv6)
* {
* DoIptablesShell("ip6tables", "-P INPUT ACCEPT");
* DoIptablesShell("ip6tables", "-P FORWARD ACCEPT");
* DoIptablesShell("ip6tables", "-P OUTPUT ACCEPT");
* DoIptablesShell("ip6tables", "-t nat -F", false);
* DoIptablesShell("ip6tables", "-t mangle -F", false);
* DoIptablesShell("ip6tables", "-F");
* DoIptablesShell("ip6tables", "-X");
* }
* }
*
* // Local
* if(true)
* {
* if (m_supportIPv4)
* {
* DoIptablesShell("iptables", "-A INPUT -i lo -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -o lo -j ACCEPT");
* }
*
* if (m_supportIPv6)
* {
* DoIptablesShell("ip6tables", "-A INPUT -i lo -j ACCEPT");
* // Reject traffic to localhost that does not originate from lo0.
* DoIptablesShell("ip6tables", "-A INPUT ! -i lo -s ::1/128 -j REJECT"); // 2.14.0
* DoIptablesShell("ip6tables", "-A OUTPUT -o lo -j ACCEPT");
* }
* }
*
* if (m_supportIPv6)
* {
* // IPv6 - Disable processing of any RH0 packet which could allow a ping-pong of packets
* DoIptablesShell("ip6tables", "-A INPUT -m rt --rt-type 0 -j DROP");
* DoIptablesShell("ip6tables", "-A OUTPUT -m rt --rt-type 0 -j DROP");
* DoIptablesShell("ip6tables", "-A FORWARD -m rt --rt-type 0 -j DROP");
* }
*
* if (m_supportIPv6) // 2.14.0
* {
* // IPv6 - Rules which are required for your IPv6 address to be properly allocated
* DoIptablesShell("ip6tables", "-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT");
* DoIptablesShell("ip6tables", "-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT");
* DoIptablesShell("ip6tables", "-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT");
* DoIptablesShell("ip6tables", "-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT");
* }
*
* // Allow DHCP
* if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
* {
* if (m_supportIPv4)
* {
* // IPv4 - Make sure you can communicate with any DHCP server
* DoIptablesShell("iptables", "-A OUTPUT -d 255.255.255.255 -j ACCEPT");
* DoIptablesShell("iptables", "-A INPUT -s 255.255.255.255 -j ACCEPT");
* }
* }
*
* // Allow private
* if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
* {
* if (m_supportIPv4)
* {
* // IPv4 - Private networks
* DoIptablesShell("iptables", "-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT");
* DoIptablesShell("iptables", "-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT");
* DoIptablesShell("iptables", "-A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT");
*
* // IPv4 - Multicast
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 224.0.0.0/24 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 224.0.0.0/24 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 224.0.0.0/24 -j ACCEPT");
*
* // IPv4 - 239.255.255.250 Simple Service Discovery Protocol address
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 239.255.255.250/32 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 239.255.255.250/32 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 239.255.255.250/32 -j ACCEPT");
*
* // IPv4 - 239.255.255.253 Service Location Protocol version 2 address
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 239.255.255.253/32 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 239.255.255.253/32 -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -s 192.168.0.0/16 -d 239.255.255.253/32 -j ACCEPT");
* }
*
* if (m_supportIPv6)
* {
* // IPv6 - Allow Link-Local addresses
* DoIptablesShell("ip6tables", "-A INPUT -s fe80::/10 -j ACCEPT");
* DoIptablesShell("ip6tables", "-A OUTPUT -s fe80::/10 -j ACCEPT");
*
* // IPv6 - Allow multicast
* DoIptablesShell("ip6tables", "-A INPUT -d ff00::/8 -j ACCEPT");
* DoIptablesShell("ip6tables", "-A OUTPUT -d ff00::/8 -j ACCEPT");
* }
* }
*
* // Allow ping
* if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
* {
* if (m_supportIPv4)
* {
* // IPv4
* DoIptablesShell("iptables", "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT"); // 2.14.0
* }
*
* if (m_supportIPv6)
* {
* // IPv6
* DoIptablesShell("ip6tables", "-A INPUT -p icmpv6 -j ACCEPT");
* DoIptablesShell("ip6tables", "-A OUTPUT -p icmpv6 -j ACCEPT");
* }
* }
*
* // Allow established sessions to receive traffic
* if(true)
* {
* if (m_supportIPv4)
* {
* DoIptablesShell("iptables", "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT");
* }
*
* if (m_supportIPv6)
* {
* DoIptablesShell("ip6tables", "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT");
* }
* }
*
* // Allow TUN
* if (true)
* {
* if (m_supportIPv4)
* {
* DoIptablesShell("iptables", "-A INPUT -i tun+ -j ACCEPT");
* DoIptablesShell("iptables", "-A FORWARD -i tun+ -j ACCEPT");
* DoIptablesShell("iptables", "-A OUTPUT -o tun+ -j ACCEPT");
* }
*
* if (m_supportIPv6)
* {
* DoIptablesShell("ip6tables", "-A INPUT -i tun+ -j ACCEPT");
* DoIptablesShell("ip6tables", "-A FORWARD -i tun+ -j ACCEPT");
* DoIptablesShell("ip6tables", "-A OUTPUT -o tun+ -j ACCEPT");
* }
* }
*
* // General rules
* {
* if (m_supportIPv4)
* {
* DoIptablesShell("iptables", "-A FORWARD -j DROP");
* if (Engine.Instance.Storage.Get("netlock.incoming") == "allow")
* DoIptablesShell("iptables", "-A INPUT -j ACCEPT");
* else
* DoIptablesShell("iptables", "-A INPUT -j DROP");
* if (Engine.Instance.Storage.Get("netlock.outgoing") == "allow")
* DoIptablesShell("iptables", "-A OUTPUT -j ACCEPT");
* else
* DoIptablesShell("iptables", "-A OUTPUT -j DROP");
* }
*
* if (m_supportIPv6)
* {
* DoIptablesShell("ip6tables", "-A FORWARD -j DROP");
* if (Engine.Instance.Storage.Get("netlock.incoming") == "allow")
* DoIptablesShell("ip6tables", "-A INPUT -j ACCEPT");
* else
* DoIptablesShell("ip6tables", "-A INPUT -j DROP");
* if (Engine.Instance.Storage.Get("netlock.outgoing") == "allow")
* DoIptablesShell("ip6tables", "-A OUTPUT -j ACCEPT");
* else
* DoIptablesShell("ip6tables", "-A OUTPUT -j DROP");
* }
* }
*/
// Version 2.17
IpAddresses ipsWhiteListOutgoing = GetIpsWhiteListOutgoing(true);
// IPv4
if (m_supportIPv4)
{
var body = new System.Text.StringBuilder();
body.AppendLine("*mangle");
body.AppendLine(":PREROUTING ACCEPT [0:0]");
body.AppendLine(":INPUT ACCEPT [0:0]");
body.AppendLine(":FORWARD ACCEPT [0:0]");
body.AppendLine(":OUTPUT ACCEPT [0:0]");
body.AppendLine(":POSTROUTING ACCEPT [0:0]");
body.AppendLine("COMMIT");
body.AppendLine("*nat");
body.AppendLine(":PREROUTING ACCEPT [0:0]");
body.AppendLine(":INPUT ACCEPT [0:0]");
body.AppendLine(":OUTPUT ACCEPT [0:0]");
body.AppendLine(":POSTROUTING ACCEPT [0:0]");
body.AppendLine("COMMIT");
body.AppendLine("*filter");
body.AppendLine(":INPUT ACCEPT [0:0]");
body.AppendLine(":FORWARD ACCEPT [0:0]");
body.AppendLine(":OUTPUT ACCEPT [0:0]");
// Local
body.AppendLine("-A INPUT -i lo -j ACCEPT");
if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
{
body.AppendLine("-A INPUT -s 255.255.255.255/32 -j ACCEPT");
}
if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
{
// Private networks
body.AppendLine("-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT");
body.AppendLine("-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT");
body.AppendLine("-A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT");
}
if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
{
// icmp-type: echo-request
body.AppendLine("-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT");
}
// Allow established sessions to receive traffic
body.AppendLine("-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT");
// Allow TUN
body.AppendLine("-A INPUT -i tun+ -j ACCEPT");
if (Engine.Instance.Storage.Get("netlock.incoming") == "allow")
{
body.AppendLine("-A INPUT -j ACCEPT");
}
else
{
body.AppendLine("-A INPUT -j DROP");
}
// Allow TUN
body.AppendLine("-A FORWARD -i tun+ -j ACCEPT");
// Fixed general rule
body.AppendLine("-A FORWARD -j DROP");
// Local
body.AppendLine("-A OUTPUT -o lo -j ACCEPT");
if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
{
// Make sure you can communicate with any DHCP server
body.AppendLine("-A OUTPUT -d 255.255.255.255/32 -j ACCEPT");
}
if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
{
// Private networks
body.AppendLine("-A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT");
body.AppendLine("-A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT");
body.AppendLine("-A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT");
// Multicast
body.AppendLine("-A OUTPUT -s 192.168.0.0/16 -d 224.0.0.0/24 -j ACCEPT");
body.AppendLine("-A OUTPUT -s 10.0.0.0/8 -d 224.0.0.0/24 -j ACCEPT");
body.AppendLine("-A OUTPUT -s 172.16.0.0/12 -d 224.0.0.0/24 -j ACCEPT");
// Simple Service Discovery Protocol address
body.AppendLine("-A OUTPUT -s 192.168.0.0/16 -d 239.255.255.250/32 -j ACCEPT");
body.AppendLine("-A OUTPUT -s 10.0.0.0/8 -d 239.255.255.250/32 -j ACCEPT");
body.AppendLine("-A OUTPUT -s 172.16.0.0/12 -d 239.255.255.250/32 -j ACCEPT");
// Service Location Protocol version 2 address
body.AppendLine("-A OUTPUT -s 192.168.0.0/16 -d 239.255.255.253/32 -j ACCEPT");
body.AppendLine("-A OUTPUT -s 10.0.0.0/8 -d 239.255.255.253/32 -j ACCEPT");
body.AppendLine("-A OUTPUT -s 172.16.0.0/12 -d 239.255.255.253/32 -j ACCEPT");
}
if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
{
// icmp-type: echo-reply
body.AppendLine("-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT");
}
// Allow TUN
body.AppendLine("-A OUTPUT -o tun+ -j ACCEPT");
// Whitelist outgoing
foreach (IpAddress ip in ipsWhiteListOutgoing.IPs)
{
if (ip.IsV4)
{
body.AppendLine("-A OUTPUT -d " + ip.ToCIDR() + " -j ACCEPT");
}
}
if (Engine.Instance.Storage.Get("netlock.outgoing") == "allow")
{
body.AppendLine("-A OUTPUT -j ACCEPT");
}
else
{
body.AppendLine("-A OUTPUT -j DROP");
}
// Commit
body.AppendLine("COMMIT");
// Apply
string path = Engine.Instance.Storage.GetPathInData("iptables.netlock.dat");
Platform.Instance.FileContentsWriteText(path, body.ToString(), Encoding.ASCII);
string result = SystemShell.ShellCmd(Platform.Instance.LocateExecutable("iptables-restore") + " <\"" + SystemShell.EscapePath(path) + "\"");
Platform.Instance.FileDelete(path);
if (result != "")
{
throw new Exception(result);
}
}
// IPv6
if (m_supportIPv6)
{
var body = new System.Text.StringBuilder();
body.AppendLine("*mangle");
body.AppendLine(":PREROUTING ACCEPT [0:0]");
body.AppendLine(":INPUT ACCEPT [0:0]");
body.AppendLine(":FORWARD ACCEPT [0:0]");
body.AppendLine(":OUTPUT ACCEPT [0:0]");
body.AppendLine(":POSTROUTING ACCEPT [0:0]");
body.AppendLine("COMMIT");
body.AppendLine("*nat");
body.AppendLine(":PREROUTING ACCEPT [0:0]");
body.AppendLine(":INPUT ACCEPT [0:0]");
body.AppendLine(":OUTPUT ACCEPT [0:0]");
body.AppendLine(":POSTROUTING ACCEPT [0:0]");
body.AppendLine("COMMIT");
body.AppendLine("*filter");
body.AppendLine(":INPUT ACCEPT [0:0]");
body.AppendLine(":FORWARD ACCEPT [0:0]");
body.AppendLine(":OUTPUT ACCEPT [0:0]");
// Local
body.AppendLine("-A INPUT -i lo -j ACCEPT");
// Reject traffic to localhost that does not originate from lo0.
body.AppendLine("-A INPUT -s ::1/128 ! -i lo -j REJECT --reject-with icmp6-port-unreachable");
// Disable processing of any RH0 packet which could allow a ping-pong of packets
body.AppendLine("-A INPUT -m rt --rt-type 0 -j DROP");
// icmpv6-type:router-advertisement - Rules which are required for your IPv6 address to be properly allocated
body.AppendLine("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT");
// icmpv6-type:neighbor-solicitation - Rules which are required for your IPv6 address to be properly allocated
body.AppendLine("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT");
// icmpv6-type:neighbor-advertisement - Rules which are required for your IPv6 address to be properly allocated
body.AppendLine("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT");
// icmpv6-type:redirect - Rules which are required for your IPv6 address to be properly allocated
body.AppendLine("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT");
if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
{
// Allow Link-Local addresses
body.AppendLine("-A INPUT -s fe80::/10 -j ACCEPT");
// Allow multicast
body.AppendLine("-A INPUT -d ff00::/8 -j ACCEPT");
}
if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
{
body.AppendLine("-A INPUT -p ipv6-icmp -j ACCEPT");
}
// Allow established sessions to receive traffic
body.AppendLine("-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT");
// Allow TUN
body.AppendLine("-A INPUT -i tun+ -j ACCEPT");
if (Engine.Instance.Storage.Get("netlock.incoming") == "allow")
{
body.AppendLine("-A INPUT -j ACCEPT");
}
else
{
body.AppendLine("-A INPUT -j DROP");
}
// Disable processing of any RH0 packet which could allow a ping-pong of packets
body.AppendLine("-A FORWARD -m rt --rt-type 0 -j DROP");
// Allow TUN
body.AppendLine("-A FORWARD -i tun+ -j ACCEPT");
// Fixed general rule
body.AppendLine("-A FORWARD -j DROP");
body.AppendLine("-A OUTPUT -d 2a0d:5600:2:5:cf41:c8d8:2e78:17b2/128 -j ACCEPT");
body.AppendLine("-A OUTPUT -d 2a0d:5600:2:5:5200:5517:2b3b:f9b6/128 -j ACCEPT");
body.AppendLine("-A OUTPUT -d 2001:ac8:29:5:8fde:45df:1149:dc39/128 -j ACCEPT");
body.AppendLine("-A OUTPUT -d 2001:ac8:29:5:2a4b:7bb6:475d:f0f4/128 -j ACCEPT");
body.AppendLine("-A OUTPUT -d 2001:750:2:3::41/128 -j ACCEPT");
body.AppendLine("-A OUTPUT -d 2001:4860:4860::8844/128 -j ACCEPT");
body.AppendLine("-A OUTPUT -d 2001:4860:4860::8888/128 -j ACCEPT");
// Local
body.AppendLine("-A OUTPUT -o lo -j ACCEPT");
// Disable processing of any RH0 packet which could allow a ping-pong of packets
body.AppendLine("-A OUTPUT -m rt --rt-type 0 -j DROP");
if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
{
// Allow Link-Local addresses
body.AppendLine("-A OUTPUT -s fe80::/10 -j ACCEPT");
// Allow multicast
body.AppendLine("-A OUTPUT -d ff00::/8 -j ACCEPT");
}
if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
{
body.AppendLine("-A OUTPUT -p ipv6-icmp -j ACCEPT");
}
// Allow TUN
body.AppendLine("-A OUTPUT -o tun+ -j ACCEPT");
// Whitelist outgoing
foreach (IpAddress ip in ipsWhiteListOutgoing.IPs)
{
if (ip.IsV6)
{
body.AppendLine("-A OUTPUT -d " + ip.ToCIDR() + " -j ACCEPT");
}
}
if (Engine.Instance.Storage.Get("netlock.outgoing") == "allow")
{
body.AppendLine("-A OUTPUT -j ACCEPT");
}
else
{
body.AppendLine("-A OUTPUT -j DROP");
}
// Commit
body.AppendLine("COMMIT");
// Apply
string path = Engine.Instance.Storage.GetPathInData("ip6tables.netlock.dat");
Platform.Instance.FileContentsWriteText(path, body.ToString(), Encoding.ASCII);
string result = SystemShell.ShellCmd(Platform.Instance.LocateExecutable("ip6tables-restore") + " <\"" + SystemShell.EscapePath(path) + "\"");
Platform.Instance.FileDelete(path);
if (result != "")
{
throw new Exception(result);
}
}
m_ipsWhiteListOutgoing = ipsWhiteListOutgoing;
OnUpdateIps();
}
catch (Exception ex)
{
Deactivation();
throw new Exception(ex.Message);
}
}
public override bool FileEnsureOwner(string path)
{
SystemShell.ShellCmd("chown \"" + Environment.GetEnvironmentVariable("USER") + "\" \"" + path + "\"");
return(true);
}