Linux Kernel FireWall based on Linux Netfilter
- Stateful firewall
- Dynamic NAT
- Filter log
Ubuntu 12.04
Linux 3.5.0
typedef struct Rule{
unsigned int sip;
unsigned int dip;
unsigned short sport;
unsigned short dport;
unsigned short protocol;
unsigned short sMask;
unsigned short dMask;
bool accept;
bool log;
struct Rule *next;
}Rule;
Host info is used to define inner net. Usually the ip is the interface to inner net and most time it equals firewall's ip. Usually the mask is the mask of the interface to inner net and most time it equals firewall's mask.
typedef struct HostInfo{
__be32 ip;
__be16 mask;
}HostInfo;
typedef struct NATRule {
unsigned int ip;
unsigned int natip;
unsigned short port;
unsigned short natport;
struct NATRule *next;
}NATRule;
typedef struct mtime{
int year;
int month;
int day;
int hour;
int min;
int sec;
}mtime;
typedef struct ActiveLink {
__be32 sip;
__be32 dip;
__be16 sport;
__be16 dport;
__u8 protocol;
mtime createtime;
__u8 lifetime;
bool log;
struct ActiveLink *next;
}ActiveLink;
typedef struct Log{
__be32 sip;
__be32 dip;
__be16 sport;
__be16 dport;
__u8 protocol;
mtime time;
bool accept;
struct Log *next;
}Log;
Using ioctl through a char device to communicate with kernel in user mode.
Rule rule;
/*You need to consummate rule*/
ioctl(fd,FW_ADD_RULE,&rule);
Rule rule;
/*You need to consummate rule*/
ioctl(fd,FW_REMOVE_RULE,&rule);
ioctl(fd,FW_CLEAR_RULE,NULL);
HostInfo hostInfo;
/*You need to consummate hostInfo*/
ioctl(fd,FW_START_NAT_TRANSFORM,&hostInfo);
ioctl(fd,FW_STOP_NAT_TRANSFORM,NULL);
int NATLen;
ioctl(fd,FW_GET_NAT_LEN,&NATLen);
NATRule *NATRules = new NATRule[NATLen];
ioctl(fd,FW_REFRESH_NAT_RULE,NATRules);
int linkLen;
ioctl(fd,FW_GET_ACTIVELINK_LEN,&linkLen);
ActiveLink *activeLinks = new ActiveLink[linkLen];
ioctl(fd,FW_REFRESH_ACTIVELINK,activeLinks);
int logLen;
ioctl(fd,FW_GET_LOG_LEN,&logLen);
Log *logs;
ioctl(fd,FW_WRITE_LOG,logs);
First you need to be in the directory of MarsFireWallKernel.c
# make
# insmod MarsFireWallKernel
# mknod MarsFireWall c 250 0
Coming soon