sysctl managmento for port hijacking

2023-04-12 23:53:43 +02:00
parent 37c51d6c4a
commit 63a3014676
63 changed files with 105 additions and 50 deletions
--- a/backend/app.py
+++ b/backend/app.py
@@ -7,12 +7,18 @@ from jose import jwt
 from passlib.context import CryptContext
 from fastapi_socketio import SocketManager
 from utils.sqlite import SQLite
-from utils import API_VERSION, FIREGEX_PORT, JWT_ALGORITHM, get_interfaces, refresh_frontend, DEBUG
+from utils import API_VERSION, FIREGEX_PORT, JWT_ALGORITHM, get_interfaces, refresh_frontend, DEBUG, SysctlManager
 from utils.loader import frontend_deploy, load_routers
 from utils.models import ChangePasswordModel, IpInterface, PasswordChangeForm, PasswordForm, ResetRequest, StatusModel, StatusMessageModel

 # DB init
 db = SQLite('db/firegex.db')
+sysctl = SysctlManager({
+    "net.ipv4.conf.all.forwarding": True,
+    "net.ipv6.conf.all.forwarding": True,
+    "net.ipv4.conf.all.route_localnet": True,
+    "net.ipv4.ip_forward": True
+})

 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/login", auto_error=False)
 crypto = CryptContext(schemes=["bcrypt"], deprecated="auto")
@@ -114,6 +120,7 @@ async def startup_event():
    db.init()
    if os.getenv("HEX_SET_PSW"):
        set_psw(bytes.fromhex(os.getenv("HEX_SET_PSW")).decode())
+    sysctl.set()
    await startup()
    if not JWT_SECRET(): db.put("secret", secrets.token_hex(32))
    await refresh_frontend()
@@ -121,6 +128,7 @@ async def startup_event():
@app.on_event("shutdown")
 async def shutdown_event():
    await shutdown()
+    sysctl.reset()
    db.disconnect()

@api.post('/reset', response_model=StatusMessageModel)
@@ -130,6 +138,7 @@ async def reset_firegex(form: ResetRequest):
        db.delete()
        db.init()
        db.put("secret", secrets.token_hex(32))
+    sysctl.set()
    await reset(form)
    await refresh_frontend()
    return {'status': 'ok'}
--- a/backend/modules/regexproxy/proxy.py
+++ b/backend/modules/regexproxy/proxy.py
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
--- a/backend/utils/init.py
+++ b/backend/utils/init.py
@@ -29,6 +29,34 @@ def refactor_name(name:str):
    while "  " in name: name = name.replace("  "," ")
    return name

+class SysctlManager:
+    def __init__(self, ctl_table):
+        self.old_table = {}
+        self.new_table = {}
+        if os.path.isdir("/sys_host/"):
+            self.old_table = dict()
+            self.new_table = dict(ctl_table)
+            for name in ctl_table.keys():
+                self.old_table[name] = read_sysctl(name)
+    
+    def write_table(self, table):
+        for name, value in table.items():
+            write_sysctl(name, value)
+
+    def set(self):
+        self.write_table(self.new_table)
+
+    def reset(self):
+        self.write_table(self.old_table)
+
+def read_sysctl(name:str):
+    with open(f"/sys_host/{name}", "rt") as f:
+        return "1" in f.read()
+
+def write_sysctl(name:str, value:bool):
+    with open(f"/sys_host/{name}", "wt") as f:
+        f.write("1" if value else "0")
+
 def list_files(mypath):
    from os import listdir
    from os.path import isfile, join
@@ -105,4 +133,4 @@ class NFTableManager(Singleton):
    def raw_list(self):
        return self.cmd({"list": {"ruleset": None}})["nftables"]

-            
+