private void FlushIPsInternal() { using var adapter = System.GetTableAdapter(4); var sync = new DefaultNetfilterSync <IpTablesRule>(); (System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, Enumerable.Empty <IpTablesRule>(), sync); }
public void TestDeleteAndUpdate() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\"" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 1 -m comment --comment \"ID3\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\"" }, system); using (var client = system.GetTableAdapter(4)) { var sync = new DefaultNetfilterSync <IpTablesRule>(CommentComparer); mock.TestSync(client, rulesOriginal, rulesNew, sync); var commands = (client as IMockIpTablesRestoreGetOutput).GetOutput().ToList(); Assert.AreEqual(5, commands.Count); Assert.True(commands[1].StartsWith("-D INPUT 1")); Assert.True(commands[2].StartsWith("-R INPUT 1")); Assert.True(commands[3].StartsWith("-R INPUT 2")); } }
public void TestQuotes() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP", }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP", "-A INPUT -m comment --comment 'test space'" }, system); List <String> expectedCommands = new List <String> { "*filter", "-A INPUT -m comment --comment \"test space\"", "COMMIT" }; using (var client = system.GetTableAdapter(4)) { var sync = new DefaultNetfilterSync <IpTablesRule>(); var rulesSynced = rulesOriginal.DeepClone(); mock.TestSync(client, rulesSynced, rulesNew, sync); CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput()); TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands); } }
public void TestDeleteMultiplesMiddle() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 3" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 3" }, system); List <String> expectedCommands = new List <String>() { "*filter", "-D INPUT 2", "-D INPUT 2", "COMMIT" }; using (var client = system.GetTableAdapter(4)) { var sync = new DefaultNetfilterSync <IpTablesRule>(); var rulesSynced = rulesOriginal.DeepClone(); mock.TestSync(client, rulesSynced, rulesNew, sync); CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput()); TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands); } }
public void TestUpdateMiddle() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"" }, system); List <String> expectedCommands = new List <String>() { "*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT" }; using (var client = system.GetTableAdapter(4)) { var sync = new DefaultNetfilterSync <IpTablesRule>(); var rulesSynced = rulesOriginal.DeepClone(); mock.TestSync(client, rulesSynced, rulesNew, sync); CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput()); TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands); } }
public void TestAddFromEmpty() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { }, system); rulesOriginal.Chains.AddChain("INPUT", "filter", system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -d 1.2.3.4/16 -j DROP" }, system); List <String> expectedCommands = new List <String> { "*filter", rulesNew.Chains.First().Rules[0].GetActionCommand(), "COMMIT" }; using (var client = system.GetTableAdapter(4)) { var sync = new DefaultNetfilterSync <IpTablesRule>(); var rulesSynced = rulesOriginal.DeepClone(); mock.TestSync(client, rulesSynced, rulesNew, sync); CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput()); TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands); } }
public void TestNatDoNothing() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80", "-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80", "-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80" }, system); List <String> expectedCommands = new List <String>() { }; using (var client = system.GetTableAdapter(4)) { var sync = new DefaultNetfilterSync <IpTablesRule>(); var rulesSynced = rulesOriginal.DeepClone(); mock.TestSync(client, rulesSynced, rulesNew, sync); CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput()); TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands); } }
public void TestAddDuplicate() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2", }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2", "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", }, system); List <String> expectedCommands = new List <String>() { rulesNew.Chains.First().Rules[2].GetActionCommand() }; var sync = new DefaultNetfilterSync <IpTablesRule>(); mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands); }
public void TestUpdateMiddle() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"" }, system); List <String> expectedCommands = new List <String>() { rulesNew.Chains.First().Rules[1].GetActionCommand("-R") }; var sync = new DefaultNetfilterSync <IpTablesRule>(CommentComparer); mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands); }
public void TestDeleteMultiples() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5" }, system); List <String> expectedCommands = new List <String>() { "-D INPUT 1", "-D INPUT 2" }; var sync = new DefaultNetfilterSync <IpTablesRule>(); mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands); }
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, Func<IpTablesRule, IpTablesRule, bool> commentComparer = null) { IpTablesChain chain = rulesOriginal.Chains.First(); DefaultNetfilterSync<IpTablesRule> sync = new DefaultNetfilterSync<IpTablesRule>(commentComparer,null); if (commentComparer == null) chain.Sync(rulesNew.Chains.First().Rules, sync); else chain.Sync(rulesNew.Chains.First().Rules, sync); }
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, Func <IpTablesRule, IpTablesRule, bool> commentComparer = null) { IpTablesChain chain = rulesOriginal.Chains.First(); DefaultNetfilterSync <IpTablesRule> sync = new DefaultNetfilterSync <IpTablesRule>(commentComparer, null); if (commentComparer == null) { chain.Sync(rulesNew.Chains.First().Rules, sync); } else { chain.Sync(rulesNew.Chains.First().Rules, sync); } }
private void AcceptIPInternal(IPAddress address) { if (address == null) { return; } using var adapter = System.GetTableAdapter(4); var chain = new IpTablesChain(IpTable, IpChain, 4, System); var rule = new IpTablesRule(System, chain); rule.AppendToRule(GetAcceptRule(address)); chain.AddRule(rule); var sync = new DefaultNetfilterSync <IpTablesRule>(); (System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, chain.Rules, sync); Logger.LogInformation($"Whitelisted {address}"); }
private void DropIPInternal(IPAddress address) { if (address == null) { return; } using var adapter = System.GetTableAdapter(4); var chain = System.GetChain(adapter, IpTable, IpChain) as IpTablesChain; var rule = chain.Rules.FirstOrDefault(x => x.GetCommand().Contains($"{address}")); if (rule == null) { return; } chain.DeleteRule(rule); var sync = new DefaultNetfilterSync <IpTablesRule>(); (System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, chain.Rules, sync); Logger.LogInformation($"Blacklisted {address}"); }
public void TestNatDoNothing() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>() { "-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80", "-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>() { "-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80", "-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80" }, system); List <String> expectedCommands = new List <String>() { }; var sync = new DefaultNetfilterSync <IpTablesRule>(); mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands); }
private async Task RefreshIPWhiteListAsync() { await AccessSemaphore.WaitAsync(); Logger.LogInformation("Refreshing iptables whitelist..."); FlushIPsInternal(); try { using var scope = Provider.CreateScope(); var dbContext = scope.ServiceProvider.GetRequiredService <MinerContext>(); using var adapter = System.GetTableAdapter(4); var miners = await dbContext.Miners.ToListAsync(); var rules = new List <string>(); foreach (var miner in miners.Where(x => x.LastAddress != null && //Has an IP x.NextIncrement >= DateTimeOffset.UtcNow - TimeSpan.FromHours(1))) //Has updated { rules.Add(GetAcceptRule(miner.LastAddress)); } var ruleSet = new IpTablesRuleSet(4, rules, System); var sync = new DefaultNetfilterSync <IpTablesRule>(); (System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, ruleSet.Rules, sync); Logger.LogInformation("Finished refreshing iptables whitelist"); } catch (Exception ex) { Logger.LogError(ex, "There was an error while refreshing iptables whitelist"); } finally { AccessSemaphore.Release(); } }