Hellfire: A Linux Toy Firewall based on Netfilter

Hellfire is a lightweight Linux firewall built upon the Netfilter framework, designed to filter TCP, SCTP, UDP, and ICMP packets in accordance with user-defined rules.

Overview

Comprising a user-space command-line tool named hellfire and a corresponding kernel-space module hellfire_core, Hellfire enables the creation of rules to control packet flow. Communication between these spaces is facilitated through the /dev/hellfire device file, employing ioctl and write syscalls.

Features

With Hellfire, users can craft filtering rules specifying various attributes:

• Direction: Inbound or Outbound
• Interface: Inbound or Outbound
• Source: IP address, IP address range, MAC address, port number
• Destination: IP address, IP address range, port number
• Protocol: TCP, UDP, SCTP, ICMP

Each rule generated is dispatched to the hellfire_core module. This kernel module then inserts a fresh entry into the policy table, enabling the comparison of incoming packets against user-defined rules. In cases where packet attributes correspond to a defined rule, the packet is subsequently discarded.

Prerequisites

• CMake (>= 3.20)
• g++ (>=7.5.0)

Building

cd build
./builder.sh

Usage

• Install Hellfire and the necessary kernel module.
• Use the hellfire CLI tool to create filtering rules, specifying the attributes as needed.
• The hellfire_core module enforces these rules by inserting entries into the policy table.

Start

➜ sudo ./hellfire start

Stop

➜ sudo ./hellfire stop

Example

ADD rules

➜ sudo ./hellfire -A INPUT -i enp0s8 -s 192.168.56.17 -p icmp -t DROP
➜ sudo ./hellfire -A INPUT -s 192.168.56.17 -p tcp --dst-port 80 -t DROP
➜ sudo ./hellfire -A INPUT --src-mac 08:00:27:27:ee:33 -t DROP
➜ sudo ./hellfire -A INPUT --src-ip-range 192.168.56.17:192.168.56.18 -t DROP
➜ sudo ./hellfire -A OUTPUT -d 192.168.56.17 -p icmp -t DROP

LIST rules

➜ sudo ./hellfire -L INPUT -p icmp
ID:1 DEST:INPUT IFN:(null) SRC:192.168.56.17 DPT:0 PRO:icmp TGT:DROP

DELETE rules

➜ sudo ./hellfire -D INPUT -n 1

FLUSH policy table

➜ sudo ./hellfire -F all
Flushed the policy table

Help

➜ sudo ./hellfire -h
Usage:  hellfire [val | -<flag> [<val>] | --<name> [<val>] ]...

   start                       Start firewall
   stop                        Stop firewall
   -A, --append                Append policy[INPUT/OUTPUT]
   -D, --delete                Delete policy[INPUT/OUTPUT]
   -L, --list                  List policies[INPUT/OUTPUT]
   -F, --flush                 Delete all policies[all]
   -n, --num                   Policy id(only with -L and -D option)
   -i, --in-interface          Name of an interface via which a packet was received (only for packets entering the INPUT)
   -o, --out-interface         Name of an interface via which a packet is going to be sent (only for packets entering OUTPUT)
       --src-mac               Source mac address(only for packets entering the INPUT)
   -p, --protocol              The protocol of the rule or of the packet to check
   -s, --src-ip                Source ip address(only for packets entering the INPUT)
       --src-ip-range          Source ip address range[ip:ip](only for packets entering the INPUT)
       --src-port              Source port address(only with -p option)
   -d  --dst-ip                Destination ip address(only for packets entering OUTPUT)
       --dst-ip-range          Destination ip address range[ip:ip](only for packets entering the OUTPUT)
       --dst-port              Destination port address(only with -p option)
   -t, --target                A firewall rule specifies criteria for a packet[ACCEPT/DROP]
   -h, --help                  Display usage information and exit
   -v, --version               Display version information and exit

Contribution

Contributions are welcome! Feel free to fork this repository, make improvements, and submit pull requests.

License

Hellfire is licensed under the MIT License.