Re structured codebase and added code for handling interfaces

Author: Kudzai P Matizirofa

__pycache__/firewall.cpython-311.pyc

@@ -0,0 +1,70 @@
+import socket
+import time
+import threading
+from netaddr import IPNetwork
+import psutil
+import datetime
+import logging
+import ctypes, sys
+from firewall.firewall import check_packet
+from firewall.packet import ethernet_frame, ipv4_packet, tcp_packet, udp_packet
+from firewall.util import PROTOCOLS
+
+#The software should run with admin permissions
+ctypes.windll.shell32.ShellExecuteW(None, "runas", sys.executable, " ".join(sys.argv), None, 1)
+
+logging.basicConfig(level=logging.INFO, filename="firewall.log", filemode="w")
+
+# Create Send Socket for all the interfaces
+send_sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
+send_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+send_sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
+
+def sendpacket(conn: socket.socket, payload, dst_ip):
+    try:
+        conn.sendto(payload, (dst_ip, 0))
+    except PermissionError as broadcastError:
+        print(broadcastError)
+        pass
+    except OSError as Error:
+        print(Error)
+        pass
+
+
+def bind_sockets(interface):
+    # create a socket connection to listen for packets
+    conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,socket.ntohs(0x0800))
+    conn.bind((interface[0], 0))
+    try:
+        # continuously receive/listen for data
+        while True:
+            # send(bytes[, flags])
+            raw_data, _ = conn.recvfrom(65536)
+            """ 
+            Create and gather the frame details from an ethernet instance
+            """
+            dest_mac, src_mac, eth_protocol, eth_data = ethernet_frame(raw_data)  # gather the frame details
+            src_port, dst_port = 0, 0
+            
+            if eth_protocol == 8:
+                s_addr, d_addr, protocol, ip_header = ipv4_packet(eth_data[14:34])
+                logging.info(f"[{datetime.datetime.now()}] {interface[0]} ({d_addr}) >  {PROTOCOLS[protocol]}")
+                if protocol == 6:
+                    # Extract the TCP dst & src Ports
+                    src_port, dst_port = tcp_packet(eth_data[34:54])
+
+                elif protocol == 17:
+                    # Extract the UDP dst & src Ports
+                    src_port, dest_port, size, data = udp_packet(eth_data[34:42])
+                    
+                """ 
+                All traffic is denied by default and only routes specified
+                in the rules list are allowed 
+                """
+                if check_packet(s_addr, d_addr, src_port, dst_port):
+                    sendpacket(send_sock, eth_data[14:], d_addr)
+                else:
+                    logging.error(f"<FAILED ROUTE>[{datetime.datetime.now()}] {interface[0]} ({s_addr}, {d_addr}) >  {PROTOCOLS[protocol]}")
+    except KeyboardInterrupt:
+        print("\n[END] STOPPED")
+        return

__pycache__/main.cpython-311.pyc

@@ -1,7 +1,8 @@
 import os
 import csv
 
-from rule_list import get_all_rules
+from firewall.rule_list import get_all_rules
+
 """
 manages a collection of rule object.
 """
@@ -34,10 +35,5 @@ def check_packet(src_addr, dst_addr, src_port, dst_port):
                         continue
         return False
     except Exception as e:
-        print(f"[ERR] Error reading rules: {e}")
+        print(f"[ERR] Error: {e}")
         return False
-
-# print(check_packet("0.0.0.0", "127.0.0.0", 22, 22))
-# print(check_packet("192.168.2.100", "192.168.1.100", 22, 0))
-print(check_packet("192.168.2.100", "100", 80, 90))
-print(check_packet("192.168.3.100", "10.0.0.100", 0, 0))

__pycache__/packet.cpython-311.pyc

@@ -0,0 +1,90 @@
+import random
+import time
+import struct
+import socket
+import binascii
+
+"""
+Represents a network packet with source and destination IP addresses
+"""
+
+### Methods to handle protocols
+def mac_addr(mac_add_bytes):
+    # convert the bytes to string
+    return ':'.join(map('{:02x}'.format, mac_add_bytes)).upper()
+
+
+def ethernet_frame(data):
+    dest_mac, src_mac, eth_protocol = struct.unpack('!6s6sH', data[:14])
+    return mac_addr(dest_mac), mac_addr(src_mac), socket.htons(eth_protocol), data
+
+
+def ipv4_packet(ip_header):
+    iph = struct.unpack('!BBHHHBBH4s4s', ip_header[:20])
+
+    version_ihl = iph[0]
+    version = version_ihl >> 4
+
+    ih_len = (version_ihl & 0xF) * 4
+    ttl = iph[5]
+    protocol = iph[6]
+
+    s_addr = socket.inet_ntoa(iph[8])
+    d_addr = socket.inet_ntoa(iph[9])
+
+    return s_addr, d_addr, protocol, ip_header[ih_len:]
+
+
+def icmp_packet(data):
+    icmp_type, code, checksum = struct.unpack('!BBH', data[:4])
+    if icmp_type == 0:
+        type_status = "0 (Echo Reply)"
+    elif icmp_type == 8:
+        type_status = "8 (Echo Request)"
+    return (icmp_type, type_status), code, checksum, data[4:]
+
+
+def tcp_packet(packet_buffer):
+    tcp_raw_data = struct.unpack("!2s2s4s4s2s2s2s2s", packet_buffer)
+    src_port = binary_to_ascii(tcp_raw_data[0])
+    dst_port = binary_to_ascii(tcp_raw_data[1])
+
+    return int(src_port, 16), int(dst_port, 16)
+
+def binary_to_ascii(binary_data):
+    return binascii.hexlify(binary_data).decode("utf-8")
+
+def udp_packet(data):
+    src_port, dest_port, size = struct.unpack('!HH2xH', data)
+    return src_port, dest_port, size, data[8:]
+
+
+def arp_packet(arp_header):
+    arph = struct.unpack("!2s2s1s1s2s6s4s6s4s", arp_header)
+
+    # convert bytes to hex and then decode it as string
+    protocol_size = binascii.hexlify(arph[3]).decode('utf-8')
+    protocol_type = binascii.hexlify(arph[1]).decode('utf-8')
+
+    # get the mac address bytes and convert it to a string
+    src_mac = mac_addr(arph[5])
+    dst_mac = mac_addr(arph[7])
+
+    # get the ip bytes and convert it to an IP string
+    src_ip = socket.inet_ntoa(arph[6])
+    dst_ip = socket.inet_ntoa(arph[8])
+
+    return src_ip, dst_ip, src_mac, dst_mac, protocol_type, protocol_size
+
+
+def ipv6_packet(data):
+    ipv6_first_word, payload_legth, protocol, hoplimit = struct.unpack(">IHBB", data[0:8])
+    src_ip = socket.inet_ntop(socket.AF_INET6, data[8:24])
+    dst_ip = socket.inet_ntop(socket.AF_INET6, data[24:40])
+
+    version = ipv6_first_word >> 28
+    traffic_class = int(ipv6_first_word >> 16) & 4095
+    flow_label = int(ipv6_first_word) & 65535
+
+    return src_ip, dst_ip, protocol, data[40:]
+

__pycache__/util.cpython-311.pyc

@@ -1,4 +1,4 @@
-from rule import Rule
+from firewall.rule import Rule
 
 __rules = [
     Rule(False, "192.168.8.100", "0", "224.0.0.251", "0").get_rule(),

firewall.log

@@ -0,0 +1,35 @@
+import  json, psutil
+
+PROTOCOLS = {
+    1: "ICMP",
+    6: "TCP",
+    17: "UDP"
+}
+
+
+def compare_rules(rule1, rule2):
+    if str(rule1).strip() == str(rule2).strip():
+        return True
+    return False
+
+def get_interfaces():
+    addrs = psutil.net_if_addrs()
+    try:
+        interfaces = {}
+        for key in addrs.keys():
+            if key == "lo":
+                continue
+            else:
+                interface_ip = addrs[key][0].broadcast.split(".")[0:3]
+                interface_ip.append("0")
+                interface_ip = ".".join(interface_ip)
+                interfaces[key] = {"network":interface_ip,"ip":addrs[key][0].address, "netmask": addrs[key][0].netmask}
+        return interfaces
+    except AttributeError:
+        return interfaces
+    except Exception as e:
+        print(f"Error getting interfaces : {e}")
+        exit()
+
+def pprint(string):
+    print(json.dumps(string, indent=2))

firewall/__pycache__/core.cpython-311.pyc

@@ -0,0 +1,30 @@
+import threading
+import time
+from firewall.core import bind_sockets
+from firewall.firewall import check_packet 
+from firewall.util import get_interfaces
+
+
+##Test 
+# print(check_packet("192.168.2.100", "100", 80, 90))
+# print(check_packet("192.168.3.100", "10.0.0.100", 0, 0))
+
+interfaces = get_interfaces()
+
+if len(interfaces.items()) < 4:
+    print("Not enough interfaces")
+    exit()
+    
+for key, val in interfaces.items():
+    tr = threading.Thread(target=bind_sockets,args=([key, val],), name=key)
+    tr.setDaemon(True)
+    tr.start()
+print("FIREWALL IS RUNNING ")
+
+try:
+    while True:
+        for _ in range(10):
+            time.sleep(.2)
+except KeyboardInterrupt:
+    print("\nEXITING FIREWALL")
+    exit(1)