ISSUE-3 Allow to specify whether to add rule to the head or tail of the iptables chain

Author: tower9

config/hostblock.conf

@@ -36,6 +36,9 @@ iptables.rules.block = -s %i -j DROP
 ## Or set up new iptables chain separate for hostblock
 #iptables.rules.block = -s %i -j HB_LOG_AND_DROP
 
+## Whether to add iptables rule to the head or tail of the chain (default head)
+#iptables.rules.pos = head
+
 ## TODO Startup rules to check and add if they are missing
 ## As example to automatically add HB_LOG_AND_DROP rules if host is restarted and rules are not restored with iptables-restore
 #iptables.rules.startup = -N HB_LOG_AND_DROP

hb/src/config.cpp

@@ -153,11 +153,22 @@ bool Config::load()
 								posip = line.find("%i");
 								if (posip != std::string::npos) {
 									this->iptablesRule = line;
-									if (logDetails) this->log->debug("Iptables rule to drop packets: " + this->iptablesRule);
+									if (logDetails) this->log->debug("Iptables rule to deny access: " + this->iptablesRule);
 								} else {
 									this->log->error("Failed to parse iptables.rules.block, IP address placeholder not found! Will use default value.");
 								}
 							}
+						} else if (line.substr(0, 18) == "iptables.rules.pos") {
+							pos = line.find_first_of("=");
+							if (pos != std::string::npos) {
+								line = hb::Util::toLower(hb::Util::ltrim(line.substr(pos + 1)));
+								if (line == "tail") {
+									this->iptablesAppend = true;
+								} else {
+									this->iptablesAppend = false;
+								}
+								if (logDetails) this->log->debug("Append iptables rule: " + std::to_string(this->iptablesAppend));
+							}
 						} else if (line.substr(0, 15) == "datetime.format") {
 							pos = line.find_first_of("=");
 							if (pos != std::string::npos) {
@@ -523,6 +534,8 @@ void Config::print()
 	std::cout << "address.block.multiplier = " << this->keepBlockedScoreMultiplier << std::endl << std::endl;
 	std::cout << "## Rule to use in IP tables rule (use %i as placeholder to specify IP address)" << std::endl;
 	std::cout << "iptables.rules.block = " << this->iptablesRule << std::endl << std::endl;
+	std::cout << "## Whether to add iptables rule to the head or end of the chain (default head)" << std::endl;
+	std::cout << "iptables.rules.pos =  " << (this->iptablesAppend ? "tail" : "head") << std::endl << std::endl;
 	std::cout << "## Datetime format (default %Y-%m-%d %H:%M:%S)" << std::endl;
 	std::cout << "datetime.format = " << this->dateTimeFormat << std::endl << std::endl;
 	std::cout << "## Datafile location" << std::endl;

hb/src/config.h

@@ -38,6 +38,11 @@ class Config{
 		 */
 		std::string iptablesRule = "-s %i -j DROP";
 
+		/*
+		 * Whether to append (add to the end) or insert (add to the beginning) iptables rule
+		 */
+		bool iptablesAppend = false;
+
 		/*
 		 * Datetime format
 		 */

hb/src/data.cpp

@@ -2000,8 +2000,14 @@ bool Data::updateIptables(std::string address)
 	if (createRule == true) {
 		this->log->info("Adding rule for " + address + " to iptables chain!");
 		try {
-			if (this->iptables->append("INPUT", ruleStart + address + ruleEnd) == false) {
-				this->log->error("Address " + address + " should have iptables rule, but hostblock failed to append rule to chain!");
+			bool res = false;
+			if (this->config->iptablesAppend) {
+				res = this->iptables->append("INPUT", ruleStart + address + ruleEnd);
+			} else {
+				res = this->iptables->insert("INPUT", ruleStart + address + ruleEnd, 1);
+			}
+			if (res == false) {
+				this->log->error("Address " + address + " should have iptables rule, but hostblock failed to add rule to chain!");
 				return false;
 			} else {
 				if (this->suspiciousAddresses.count(address) > 0) {
@@ -2014,7 +2020,7 @@ bool Data::updateIptables(std::string address)
 		} catch (std::runtime_error& e) {
 			std::string message = e.what();
 			this->log->error(message);
-			this->log->error("Address " + address + " should have iptables rule, but hostblock failed to append rule to chain!");
+			this->log->error("Address " + address + " should have iptables rule, but hostblock failed to add rule to chain!");
 			return false;
 		}
 	}

hb/src/iptables.cpp

@@ -63,7 +63,7 @@ bool Iptables::newChain(std::string chain)
 }
 
 /*
- * Append rule to chain
+ * Append rule to the end of the chain
  */
 bool Iptables::append(std::string chain, std::string rule)
 {
@@ -91,7 +91,7 @@ bool Iptables::append(std::string chain, std::string rule)
 }
 
 /*
- * Append rules to chain
+ * Append multiple rules to the end of the chain
  */
 bool Iptables::append(std::string chain, std::vector<std::string>* rules)
 {
@@ -117,6 +117,61 @@ bool Iptables::append(std::string chain, std::vector<std::string>* rules)
 	return true;
 }
 
+/*
+ * Insert rule to the chain at specified position
+ */
+bool Iptables::insert(std::string chain, std::string rule, int pos)
+{
+	// Need root access to work with iptables
+	if (cunistd::getuid() != 0) {
+		throw std::runtime_error("Error, root access required to work with iptables!");
+	}
+
+	// Prepare command
+	std::string cmd = "iptables -I " + chain + " " + std::to_string(pos) + " " + rule;
+	int response = 0;
+	if (!std::system(NULL)) {
+		throw std::runtime_error("Command processor not available.");
+	}
+
+	// Exec command
+	response = std::system(cmd.c_str());
+
+	// Check response
+	if (response == 0) {
+		return true;
+	} else {
+		throw std::runtime_error("Failed to execute iptables, returned code: " + std::to_string(response));
+	}
+}
+
+/*
+ * Append multiple rules at specified position in chain
+ */
+bool Iptables::insert(std::string chain, std::vector<std::string>* rules, int pos)
+{
+	// Need root access to work with iptables
+	if (cunistd::getuid() != 0) {
+		throw std::runtime_error("Error, root access required to work with iptables!");
+	}
+
+	int response = 0;
+	if (!std::system(NULL)) {
+		throw std::runtime_error("Command processor not available.");
+	}
+
+	std::string cmd;
+	for (std::vector<std::string>::iterator it = rules->begin(); it != rules->end(); ++it) {
+		cmd = "iptables -I " + chain + " " + std::to_string(pos) + " " + *it;
+		response = std::system(cmd.c_str());
+		if (response != 0) {
+			throw std::runtime_error("Failed to execute iptables, returned code: " + std::to_string(response));
+		}
+	}
+
+	return true;
+}
+
 /*
  * Delete rule from chain
  */

hb/src/iptables.h

@@ -28,11 +28,17 @@ class Iptables{
 		bool newChain(std::string chain);
 
 		/*
-		 * Append chain with new rule
+		 * Append new rule(s) to the end of the chain
 		 */
 		bool append(std::string chain, std::string rule);
 		bool append(std::string chain, std::vector<std::string>* rules);
 
+		/*
+		 * Insert rule(s) to the chain at specified position
+		 */
+		bool insert(std::string chain, std::string rule, int pos = 1);
+		bool insert(std::string chain, std::vector<std::string>* rules, int pos = 1);
+
 		/*
 		 * Delete rule from chain
 		 */

hb/src/main.cpp

@@ -879,7 +879,13 @@ int main(int argc, char *argv[])
 
 											// Add rule based on new config
 											try {
-												if (iptables.append("INPUT", config.iptablesRule.substr(0, posip) + regexSearchResult + config.iptablesRule.substr(posip + 2)) == false) {
+												bool res = false;
+												if (config.iptablesAppend) {
+													res = iptables.append("INPUT", config.iptablesRule.substr(0, posip) + regexSearchResult + config.iptablesRule.substr(posip + 2));
+												} else {
+													res = iptables.insert("INPUT", config.iptablesRule.substr(0, posip) + regexSearchResult + config.iptablesRule.substr(posip + 2), 1);
+												}
+												if (res == false) {
 													log.error("Trying to update rule for address " + regexSearchResult + " based on updated configuraiton, but failed to add rule based on new configuration!");
 												} else {
 													sait->second.iptableRule = true;

hb/src/util.h

@@ -12,7 +12,7 @@
 
 namespace hb{
 
-static const std::string kHostblockVersion = "1.0.2";
+static const std::string kHostblockVersion = "1.0.3";
 
 enum Report {
 	False,