Skip to content

Commit fe4222b

Browse files
evgeniy-scherbinaevgeniy-scherbina
committed
refactor
1 parent 7087e02 commit fe4222b

File tree

1 file changed

+32
-42
lines changed

1 file changed

+32
-42
lines changed

jail/linux.go

Lines changed: 32 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -136,48 +136,38 @@ func (l *LinuxJail) Close() error {
136136

137137
// setupIptables configures iptables rules for comprehensive TCP traffic interception
138138
func (l *LinuxJail) configureIptables() error {
139-
// Enable IP forwarding
140-
cmd := exec.Command("sysctl", "-w", "net.ipv4.ip_forward=1")
141-
_ = cmd.Run() // Ignore error
142-
143-
// NAT rules for outgoing traffic (MASQUERADE for return traffic)
144-
cmd = exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-s", "192.168.100.0/24", "-j", "MASQUERADE")
145-
cmd.SysProcAttr = &syscall.SysProcAttr{
146-
AmbientCaps: []uintptr{uintptr(unix.CAP_NET_ADMIN)},
147-
}
148-
err := cmd.Run()
149-
if err != nil {
150-
return fmt.Errorf("failed to add NAT rule: %v", err)
151-
}
152-
153-
// COMPREHENSIVE APPROACH: Route ALL TCP traffic to HTTP proxy
154-
// The HTTP proxy will intelligently handle both HTTP and TLS traffic
155-
cmd = exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-i", l.vethHostName, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort))
156-
cmd.SysProcAttr = &syscall.SysProcAttr{
157-
AmbientCaps: []uintptr{uintptr(unix.CAP_NET_ADMIN)},
158-
}
159-
err = cmd.Run()
160-
if err != nil {
161-
return fmt.Errorf("failed to add comprehensive TCP redirect rule: %v", err)
162-
}
163-
164-
// TODO: clean up this rules
165-
cmd = exec.Command("iptables", "-A", "FORWARD", "-s", "192.168.100.0/24", "-j", "ACCEPT")
166-
cmd.SysProcAttr = &syscall.SysProcAttr{
167-
AmbientCaps: []uintptr{uintptr(unix.CAP_NET_ADMIN)},
168-
}
169-
err = cmd.Run()
170-
if err != nil {
171-
return fmt.Errorf("forward -s error: %v", err)
172-
}
173-
174-
cmd = exec.Command("iptables", "-A", "FORWARD", "-d", "192.168.100.0/24", "-j", "ACCEPT")
175-
cmd.SysProcAttr = &syscall.SysProcAttr{
176-
AmbientCaps: []uintptr{uintptr(unix.CAP_NET_ADMIN)},
177-
}
178-
err = cmd.Run()
179-
if err != nil {
180-
return fmt.Errorf("forward -r error: %v", err)
139+
runner := newCommandRunner([]*command{
140+
{
141+
"enable IP forwarding",
142+
exec.Command("sysctl", "-w", "net.ipv4.ip_forward=1"),
143+
[]uintptr{},
144+
},
145+
{
146+
"NAT rules for outgoing traffic (MASQUERADE for return traffic)",
147+
exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-s", "192.168.100.0/24", "-j", "MASQUERADE"),
148+
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
149+
},
150+
{
151+
// COMPREHENSIVE APPROACH: Route ALL TCP traffic to HTTP proxy
152+
// The HTTP proxy will intelligently handle both HTTP and TLS traffic
153+
"Route ALL TCP traffic to HTTP proxy",
154+
exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-i", l.vethHostName, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort)),
155+
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
156+
},
157+
// TODO: clean up this rules
158+
{
159+
"iptables FORWARD -s",
160+
exec.Command("iptables", "-A", "FORWARD", "-s", "192.168.100.0/24", "-j", "ACCEPT"),
161+
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
162+
},
163+
{
164+
"iptables FORWARD -d",
165+
exec.Command("iptables", "-A", "FORWARD", "-d", "192.168.100.0/24", "-j", "ACCEPT"),
166+
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
167+
},
168+
})
169+
if err := runner.run(); err != nil {
170+
return err
181171
}
182172

183173
l.logger.Debug("Comprehensive TCP boundarying enabled", "interface", l.vethHostName, "proxy_port", l.httpProxyPort)

0 commit comments

Comments
 (0)