Exemple #1
0
        private List <uint> LoadIPAddresses(string ruleName, string action, string hashType, int maxCount)
        {
            List <uint> ipAddresses = new List <uint>();

            try
            {
                if (hashType != "ip")
                {
                    throw new ArgumentException("Can only load hash of type 'ip'");
                }

                CreateOrUpdateRule(ruleName, action, hashType, maxCount, null, default);

                // copy ip addresses from the rule to the set
                string fileName = GetSetFileName(ruleName);
                if (File.Exists(fileName))
                {
                    uint value;
                    foreach (string line in File.ReadLines(fileName).Skip(1))
                    {
                        string[] pieces = line.Split(' ');
                        if (pieces.Length > 2 && pieces[0] == "add" && (value = IPBanFirewallUtility.ParseIPV4(pieces[2])) != 0)
                        {
                            ipAddresses.Add(value);
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                IPBanLog.Error(ex);
            }

            return(ipAddresses);
        }
Exemple #2
0
        private bool GetOrCreateRule(string ruleName, string remoteIPAddresses, NET_FW_ACTION_ action, IEnumerable <PortRange> allowedPorts = null)
        {
            remoteIPAddresses = (remoteIPAddresses ?? string.Empty).Trim();
            bool emptyIPAddressString = string.IsNullOrWhiteSpace(remoteIPAddresses) || remoteIPAddresses == "*";
            bool ruleNeedsToBeAdded   = false;

            lock (policy)
            {
recreateRule:
                INetFwRule rule = null;
                try
                {
                    rule = policy.Rules.Item(ruleName);
                }
                catch
                {
                    // ignore exception, assume does not exist
                }
                if (rule == null)
                {
                    rule                = Activator.CreateInstance(ruleType) as INetFwRule;
                    rule.Name           = ruleName;
                    rule.Enabled        = true;
                    rule.Action         = action;
                    rule.Description    = "Automatically created by IPBan";
                    rule.Direction      = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
                    rule.EdgeTraversal  = false;
                    rule.Grouping       = "IPBan";
                    rule.LocalAddresses = "*";
                    rule.Profiles       = int.MaxValue; // all
                    ruleNeedsToBeAdded  = true;
                }

                // do not ever set an empty string, Windows treats this as * which means everything
                if (!emptyIPAddressString)
                {
                    try
                    {
                        PortRange[] allowedPortsArray = (allowedPorts?.ToArray());
                        if (allowedPortsArray != null && allowedPortsArray.Length != 0)
                        {
                            rule.Protocol = (int)NET_FW_IP_PROTOCOL_.NET_FW_IP_PROTOCOL_TCP;
                            string localPorts;
                            if (action == NET_FW_ACTION_.NET_FW_ACTION_BLOCK)
                            {
                                localPorts = IPBanFirewallUtility.GetPortRangeStringBlockExcept(allowedPortsArray);
                            }
                            else
                            {
                                localPorts = IPBanFirewallUtility.GetPortRangeStringAllow(allowedPortsArray);
                            }
                            rule.LocalPorts = localPorts;
                        }
                        else
                        {
                            try
                            {
                                rule.Protocol = (int)NET_FW_IP_PROTOCOL_.NET_FW_IP_PROTOCOL_ANY;
                            }
                            catch
                            {
                                // failed to set protocol to any, we are switching from tcp back to any without ports, the only option is to
                                //  recreate the rule
                                if (!ruleNeedsToBeAdded)
                                {
                                    policy.Rules.Remove(ruleName);
                                    goto recreateRule;
                                }
                            }
                        }
                        rule.RemoteAddresses = remoteIPAddresses;
                    }
                    catch (Exception ex)
                    {
                        // if something failed, do not create the rule
                        emptyIPAddressString = true;
                        IPBanLog.Error(ex);
                    }
                }

                if (emptyIPAddressString || string.IsNullOrWhiteSpace(rule.RemoteAddresses) || rule.RemoteAddresses == "*")
                {
                    // if no ip addresses, remove the rule as it will allow or block everything with an empty RemoteAddresses string
                    try
                    {
                        rule = null;
                        policy.Rules.Remove(ruleName);
                    }
                    catch
                    {
                    }
                }
                else if (ruleNeedsToBeAdded)
                {
                    policy.Rules.Add(rule);
                }
                return(rule != null);
            }
        }
Exemple #3
0
 public bool IsIPAddressAllowed(string ipAddress)
 {
     return(allowedIPAddresses.Contains(IPBanFirewallUtility.ParseIPV4(ipAddress)));
 }
Exemple #4
0
 public IEnumerable <string> EnumerateAllowedIPAddresses()
 {
     return(allowedIPAddresses.Select(b => IPBanFirewallUtility.IPV4ToString(b)));
 }
Exemple #5
0
        // deleteRule will drop the rule and matching set before creating the rule and set, use this is you don't care to update the rule and set in place
        private List <uint> UpdateRule(string ruleName, string action, IEnumerable <string> ipAddresses,
                                       List <uint> existingIPAddresses, string hashType, int maxCount, bool deleteRule, IEnumerable <PortRange> allowPorts, CancellationToken cancelToken,
                                       out bool result)
        {
            string      ipFile             = GetSetFileName(ruleName);
            string      ipFileTemp         = ipFile + ".tmp";
            List <uint> newIPAddressesUint = new List <uint>();
            uint        value = 0;

            // add and remove the appropriate ip addresses from the set
            using (StreamWriter writer = File.CreateText(ipFileTemp))
            {
                if (cancelToken.IsCancellationRequested)
                {
                    throw new OperationCanceledException(cancelToken);
                }
                writer.WriteLine($"create {ruleName} hash:{hashType} family {inetFamily} hashsize {hashSize} maxelem {maxCount} -exist");
                foreach (string ipAddress in ipAddresses)
                {
                    if (cancelToken.IsCancellationRequested)
                    {
                        throw new OperationCanceledException(cancelToken);
                    }

                    // only allow ipv4 for now
                    if (IPAddressRange.TryParse(ipAddress, out IPAddressRange range) &&
                        range.Begin.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork &&
                        range.End.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork &&
                        // if deleting the rule, don't track the uint value
                        (!deleteRule || (value = IPBanFirewallUtility.ParseIPV4(ipAddress)) != 0))
                    {
                        try
                        {
                            if (range.Begin.Equals(range.End))
                            {
                                writer.WriteLine($"add {ruleName} {range.Begin} -exist");
                            }
                            else
                            {
                                writer.WriteLine($"add {ruleName} {range.ToCidrString()} -exist");
                            }
                            if (!deleteRule)
                            {
                                newIPAddressesUint.Add(value);
                            }
                        }
                        catch
                        {
                            // ignore invalid cidr ranges
                        }
                    }
                }
                newIPAddressesUint.Sort();

                // if the rule was deleted, no need to add del entries
                if (!deleteRule)
                {
                    // for ip that dropped out, remove from firewall
                    foreach (uint droppedIP in existingIPAddresses.Where(e => newIPAddressesUint.BinarySearch(e) < 0))
                    {
                        writer.WriteLine($"del {ruleName} {IPBanFirewallUtility.IPV4ToString(droppedIP)} -exist");
                    }
                }
            }

            if (cancelToken.IsCancellationRequested)
            {
                throw new OperationCanceledException(cancelToken);
            }
            else
            {
                // TODO: Is there an easier way to move to a file that exists?
                if (File.Exists(ipFile))
                {
                    DeleteFile(ipFile);
                }
                File.Move(ipFileTemp, ipFile);

                if (deleteRule)
                {
                    DeleteRule(ruleName);
                }

                // restore the file to get the set updated
                result = (RunProcess("ipset", true, $"restore < \"{ipFile}\"") == 0);

                // ensure rule exists for the set
                CreateOrUpdateRule(ruleName, action, hashType, maxCount, allowPorts, cancelToken);
            }

            return(newIPAddressesUint);
        }
Exemple #6
0
        private bool CreateOrUpdateRule(string ruleName, string action, string hashType, int maxCount, IEnumerable <PortRange> allowedPorts, CancellationToken cancelToken)
        {
            // ensure that a set exists for the iptables rule in the event that this is the first run
            RunProcess("ipset", false, $"create {ruleName} hash:{hashType} family {inetFamily} hashsize {hashSize} maxelem {maxCount} -exist");
            if (cancelToken.IsCancellationRequested)
            {
                throw new OperationCanceledException(cancelToken);
            }

            string setFileName = GetSetFileName(ruleName);

            if (!File.Exists(setFileName))
            {
                RunProcess("ipset", true, $"save {ruleName} > \"{setFileName}\"");
            }

            if (cancelToken.IsCancellationRequested)
            {
                throw new OperationCanceledException(cancelToken);
            }

            PortRange[] allowedPortsArray = allowedPorts?.ToArray();

            // create or update the rule in iptables
            RunProcess("iptables", true, out IReadOnlyList <string> lines, "-L --line-numbers");
            string portString = " ";
            bool   replaced   = false;

            if (allowedPortsArray != null && allowedPortsArray.Length != 0)
            {
                string portList = (action == "DROP" ? IPBanFirewallUtility.GetPortRangeStringBlockExcept(allowedPorts) :
                                   IPBanFirewallUtility.GetPortRangeStringAllow(allowedPorts));
                portString = " -m multiport --dports " + portList.Replace('-', ':') + " "; // iptables uses ':' instead of '-' for range
            }
            string ruleNameWithSpaces = " " + ruleName + " ";

            foreach (string line in lines)
            {
                if (line.Contains(ruleNameWithSpaces, StringComparison.OrdinalIgnoreCase))
                {
                    // rule number is first piece of the line
                    int index   = line.IndexOf(' ');
                    int ruleNum = int.Parse(line.Substring(0, index));

                    // replace the rule with the new info
                    RunProcess("iptables", true, $"-R INPUT {ruleNum} -m set{portString}--match-set \"{ruleName}\" src -j {action}");
                    replaced = true;
                    break;
                }
            }
            if (!replaced)
            {
                // add a new rule
                RunProcess("iptables", true, $"-A INPUT -m set{portString}--match-set \"{ruleName}\" src -j {action}");
            }

            if (cancelToken.IsCancellationRequested)
            {
                throw new OperationCanceledException(cancelToken);
            }

            SaveTableToDisk();

            return(true);
        }