/*********************************** * Nobody Firewall * *

1. /***********************************
2. * Nobody Firewall *
3. * *
4. * @Author: Nobody *
5. * @Version: 0.1 BETA FIX #2 *
6. * @Date: 26/08/2017 *
7. * *
8. * Thanks to Silver Moon & n3ptun0 *
9. **********************************/
10.  
11. /* ==================================== [ INCLUDES ] ==================================== */
12. #include <stdio.h>
13. #include <stdlib.h>
14. #include <string.h>
15. #include <unistd.h>
16. #include <time.h>
17. #include <pcap.h>
18. #include <sys/socket.h>
19. #include <arpa/inet.h>
20. #include <net/ethernet.h>
21. #include <netinet/udp.h>
22. #include <netinet/ip.h>
23. #include <pthread.h>
24.  
25. /* ==================================== [ DEFINES ] ==================================== */
26. //#define FLAG_DEBUG
27. #define FIREWALL_VERSION "0.1 BETA"
28. #define SLEEP_SECONDS (1)
29. #define MAX_QUERIES (60) // per SLEEP_SECONDS
30. #define MAX_COOKIES (5) // per SLEEP_SECONDS
31. #define STRUCT_NUMBER (700)
32.  
33. typedef unsigned int uint;
34. void ProcessPackets(u_char*, const struct pcap_pkthdr*, const u_char*);
35. void ProcessUDPPacket(const u_char*, int);
36. void ProcessSAMPPacket(char* host, u_short port, u_short dst_port, uint query);
37. void ProcessCookiePacket(char* host, u_short port, u_short dst_port);
38. void* threadCheck(void* ptr);
39. void threadReload();
40. void Ban(char* host, u_short port, u_short dst_port, int type);
41. int CheckIfExists(char* host);
42.  
43. struct userPackets
44. {
45. char host[30];
46. long int CookiePackets;
47. long int QueryPackets;
48. };
49. struct userPackets ddosInfo[STRUCT_NUMBER];
50.  
51. struct sockaddr_in source, dest;
52.  
53. FILE* logfile;
54. time_t _rw;
55. struct tm *tm;
56.  
57. /* ==================================== [ FUNCTIONS ] ==================================== */
58. int main(int argc, char* argv[])
59. {
60. threadReload();
61. pthread_t thread1;
62. pthread_create(&thread1, NULL, threadCheck, NULL);
63.  
64. pcap_if_t *alldevsp;
65. pcap_t* handle;
66. char errbuf[PCAP_ERRBUF_SIZE];
67.  
68. // get interface
69. char* iface;
70. if (!argv[1])
71. {
72. FILE* f = fopen("/proc/net/route", "r");
73. char line[100];
74. while (fgets(line, 100, f))
75. {
76. char* p = strtok(line, " \t"); char* c = strtok(NULL, " \t");
77. if ((p != NULL && c != NULL) && (strcmp(c, "00000000") == 0))
78. {
79. iface = p;
80. break;
81. }
82. }
83. }
84. else iface = argv[1];
85.  
86. system("clear");
87. printf("######################################################\n");
88. printf("# Nobody Firewall v"FIREWALL_VERSION" started. #\n");
89. printf("######################################################\n");
90. if (argc < 2) printf("[!] Usage: %s <iface>\n", argv[0]);
91. #ifdef FLAG_DEBUG
92. printf("[!] Information: Debug flag is enabled.\n");
93. #endif
94. if (!argv[1])
95. printf("[!] Warning: Using default interface: \"%s\".\n\n", iface);
96.  
97. printf("[!] Finding available devices, please wait...");
98. if (pcap_findalldevs(&alldevsp, errbuf))
99. {
100. printf("\n[!] Error finding devices: %s\n", errbuf);
101. exit(1);
102. }
103. printf(" Done.\n");
104.  
105. printf("[!] Opening device \"%s\" for sniffing...", iface);
106. handle = pcap_open_live(iface, 65536, 1, 0, errbuf);
107.  
108. if (handle == NULL)
109. {
110. printf("\n[!] Couldn't open device \"%s\": %s\n", iface, errbuf);
111. exit(1);
112. }
113. printf(" Done.\n");
114.  
115. pcap_setdirection(handle, PCAP_D_IN);
116. pcap_loop(handle, -1, ProcessPackets, NULL);
117. return 0;
118. }
119.  
120. void ProcessPackets(u_char* args, const struct pcap_pkthdr* header, const u_char* buffer)
121. {
122. struct iphdr* iph = (struct iphdr*)(buffer + sizeof(struct ethhdr));
123. switch (iph->protocol)
124. {
125. case 17: // UDP Protocol
126. ProcessUDPPacket(buffer, header->len);
127. break;
128.  
129. default: break;
130. }
131. //printf("Logging packets...\r");
132. }
133.  
134. void ProcessUDPPacket(const u_char* buffer, int size)
135. {
136. unsigned short iphdrlen;
137.  
138. struct iphdr* iph = (struct iphdr*)(buffer + sizeof(struct ethhdr));
139. iphdrlen = iph->ihl * 4;
140.  
141. memset(&source, 0, sizeof(source));
142. source.sin_addr.s_addr = iph->saddr;
143.  
144. memset(&dest, 0, sizeof(dest));
145. dest.sin_addr.s_addr = iph->daddr;
146.  
147. struct udphdr* udph = (struct udphdr*)(buffer + iphdrlen + sizeof(struct ethhdr));
148.  
149. int header_size = sizeof(struct ethhdr) + iphdrlen + sizeof udph;
150. const u_char* packet = buffer + header_size;
151.  
152. if ((uint)packet[0] == 0x53 && (uint)packet[1] == 0x41 && (uint)packet[2] == 0x4d && (uint)packet[3] == 0x50)
153. ProcessSAMPPacket(inet_ntoa(source.sin_addr), ntohs(udph->source), ntohs(udph->dest), (uint)packet[10]);
154.  
155. if ((uint)packet[0] == 0x08 && (uint)packet[1] == 0x1e /* && (uint)packet[2] == 0x?? */ && (uint)packet[3] == 0xda)
156. ProcessCookiePacket(inet_ntoa(source.sin_addr), ntohs(udph->source), ntohs(udph->dest));
157.  
158. /*#ifdef FLAG_DEBUG
159. if ((uint)packet[0] == 0x28 && ntohs(udph->len) == 12) // incoming connection
160. printf("[!] Incoming connection packet from %s.\n", inet_ntoa(source.sin_addr));
161. #endif*/
162. }
163.  
164. void ProcessSAMPPacket(char* host, u_short port, u_short dst_port, uint query)
165. {
166. #ifdef FLAG_DEBUG
167. printf("[!] Incoming query:%c packet from %s:%d to port %d.\n", query, host, port, dst_port);
168. #endif
169. int check = CheckIfExists(host);
170. if (check != -1)
171. {
172. ddosInfo[check].QueryPackets++;
173. if (ddosInfo[check].QueryPackets > MAX_QUERIES)
174. Ban(ddosInfo[check].host, 1, port, dst_port);
175. }
176. else
177. {
178. int i = 0;
179. for (i = 0; i < STRUCT_NUMBER; i++)
180. {
181. if (strcmp(ddosInfo[i].host, "127.0.0.1") == 0)
182. {
183. strcpy(ddosInfo[i].host, host);
184. ddosInfo[i].QueryPackets += 1;
185. break;
186. }
187. }
188. }
189. }
190.  
191. void ProcessCookiePacket(char* host, u_short port, u_short dst_port)
192. {
193. #ifdef FLAG_DEBUG
194. printf("[!] Incoming cookie packet from %s:%d to port %d.\n", host, port, dst_port);
195. #endif
196. int check = CheckIfExists(host);
197. if (check != -1)
198. {
199. ddosInfo[check].CookiePackets++;
200. if (ddosInfo[check].CookiePackets > MAX_COOKIES)
201. Ban(ddosInfo[check].host, 0, port, dst_port);
202. }
203. else
204. {
205. int i = 0;
206. for (i = 0; i < STRUCT_NUMBER; i++)
207. {
208. if (strcmp(ddosInfo[i].host, "127.0.0.1") == 0)
209. {
210. strcpy(ddosInfo[i].host, host);
211. ddosInfo[i].CookiePackets += 1;
212. break;
213. }
214. }
215. }
216. }
217.  
218. void Ban(char* host, u_short port, u_short dst_port, int type)
219. {
220. static char buffer[85];
221. sprintf(buffer, "Incoming attack from %s:%d to port %d. Attack type: %s. Blocking it.\n", host, port, dst_port, (type == 1 ? "Query Flood" : "Cookie Flood"));
222. printf("[!] %s", buffer);
223. time(&_rw);
224. tm = localtime(&_rw);
225. if ((logfile = fopen("nfwall.txt", "a")) == NULL)
226. printf("[!] Unable to open log file.\n");
227. fprintf(logfile, "[%02d/%02d/%02d - %02d:%02d:%02d] %s", tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec, buffer);
228. fclose(logfile);
229. char cmd[50];
230. memset(cmd, 0, sizeof(cmd));
231. sprintf(cmd, "iptables -A INPUT -s %s -j DROP", host);
232. system(cmd);
233. }
234.  
235. int CheckIfExists(char* host)
236. {
237. int i = 0;
238. for (i = 0; i < STRUCT_NUMBER; i++)
239. {
240. if (strcmp(ddosInfo[i].host, host) == 0)
241. return i;
242. }
243. return -1;
244. }
245.  
246. void threadReload()
247. {
248. int i = 0;
249. for (i = 0; i < STRUCT_NUMBER; i++)
250. {
251. strcpy(ddosInfo[i].host, "127.0.0.1");
252. ddosInfo[i].CookiePackets = 0;
253. ddosInfo[i].QueryPackets = 0;
254. }
255. }
256.  
257. void* threadCheck(void* ptr)
258. {
259. while (1)
260. {
261. sleep(SLEEP_SECONDS);
262. threadReload();
263. }
264. }