Prioritize allow rules on Linux

DigitalRuby · Aug 17, 2020 · 2a83e40 · 2a83e40
1 parent 223448f
commit 2a83e40
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/IPBanCore/Linux/IPBanLinuxBaseFirewall.cs b/IPBanCore/Linux/IPBanLinuxBaseFirewall.cs
@@ -198,12 +198,15 @@ protected bool CreateOrUpdateRule(string ruleName, string action, string hashTyp
             RunProcess(IpTablesProcess, true, out IReadOnlyList<string> lines, "-L --line-numbers");
             string portString = " ";
             bool replaced = false;
+            bool block = (action == "DROP");
+
             if (allowedPortsArray != null && allowedPortsArray.Length != 0)
             {
-                string portList = (action == "DROP" ? IPBanFirewallUtility.GetBlockPortRangeString(allowedPorts) :
+                string portList = (block ? IPBanFirewallUtility.GetBlockPortRangeString(allowedPorts) :
                      IPBanFirewallUtility.GetPortRangeStringAllow(allowedPorts));
                 portString = " -m multiport -p tcp --dports " + portList.Replace('-', ':') + " "; // iptables uses ':' instead of '-' for range
             }
+
             string ruleNameWithSpaces = " " + ruleName + " ";
             foreach (string line in lines)
             {
@@ -221,8 +224,9 @@ protected bool CreateOrUpdateRule(string ruleName, string action, string hashTyp
             }
             if (!replaced)
             {
-                // add a new rule
-                RunProcess(IpTablesProcess, true, $"-A INPUT -m set{portString}--match-set \"{ruleName}\" src -j {action}");
+                // add a new rule, for block add to end of list (lower priority) for allow add to begin of list (higher priority)
+                string addCommand = (block ? "-A" : "-I");
+                RunProcess(IpTablesProcess, true, $"{addCommand} INPUT -m set{portString}--match-set \"{ruleName}\" src -j {action}");
             }
 
             if (cancelToken.IsCancellationRequested)