import { exec, execSync } from 'child_process';
import { promisify } from 'util';
const execAsync = promisify(exec);
/**
* Represents a port range for forwarding
*/
export interface IPortRange {
from: number;
to: number;
}
/**
* Settings for IPTablesProxy.
*/
export interface IIpTableProxySettings {
// Basic settings
fromPort: number | IPortRange | Array<number | IPortRange>; // Support single port, port range, or multiple ports/ranges
toPort: number | IPortRange | Array<number | IPortRange>;
toHost?: string; // Target host for proxying; defaults to 'localhost'
// Advanced settings
preserveSourceIP?: boolean; // If true, the original source IP is preserved
deleteOnExit?: boolean; // If true, clean up marked iptables rules before process exit
protocol?: 'tcp' | 'udp' | 'all'; // Protocol to forward, defaults to 'tcp'
enableLogging?: boolean; // Enable detailed logging
ipv6Support?: boolean; // Enable IPv6 support (ip6tables)
// Source filtering
allowedSourceIPs?: string[]; // If provided, only these IPs are allowed
bannedSourceIPs?: string[]; // If provided, these IPs are blocked
// Rule management
forceCleanSlate?: boolean; // Clear all IPTablesProxy rules before starting
addJumpRule?: boolean; // Add a custom chain for cleaner rule management
checkExistingRules?: boolean; // Check if rules already exist before adding
// Integration with PortProxy/NetworkProxy
netProxyIntegration?: {
enabled: boolean;
redirectLocalhost?: boolean; // Redirect localhost traffic to NetworkProxy
sslTerminationPort?: number; // Port where NetworkProxy handles SSL termination
};
}
/**
* Represents a rule added to iptables
*/
interface IpTablesRule {
table: string;
chain: string;
command: string;
tag: string;
added: boolean;
}
/**
* IPTablesProxy sets up iptables NAT rules to forward TCP traffic.
* Enhanced with multi-port support, IPv6, and integration with PortProxy/NetworkProxy.
*/
export class IPTablesProxy {
public settings: IIpTableProxySettings;
private rules: IpTablesRule[] = [];
private ruleTag: string;
private customChain: string | null = null;
constructor(settings: IIpTableProxySettings) {
// Validate inputs to prevent command injection
this.validateSettings(settings);
// Set default settings
this.settings = {
...settings,
toHost: settings.toHost || 'localhost',
protocol: settings.protocol || 'tcp',
enableLogging: settings.enableLogging !== undefined ? settings.enableLogging : false,
ipv6Support: settings.ipv6Support !== undefined ? settings.ipv6Support : false,
checkExistingRules: settings.checkExistingRules !== undefined ? settings.checkExistingRules : true,
netProxyIntegration: settings.netProxyIntegration || { enabled: false }
};
// Generate a unique identifier for the rules added by this instance
this.ruleTag = `IPTablesProxy:${Date.now()}:${Math.random().toString(36).substr(2, 5)}`;
if (this.settings.addJumpRule) {
this.customChain = `IPTablesProxy_${Math.random().toString(36).substr(2, 5)}`;
}
// Register cleanup handlers if deleteOnExit is true
if (this.settings.deleteOnExit) {
const cleanup = () => {
try {
this.stopSync();
} catch (err) {
console.error('Error cleaning iptables rules on exit:', err);
}
};
process.on('exit', cleanup);
process.on('SIGINT', () => {
cleanup();
process.exit();
});
process.on('SIGTERM', () => {
cleanup();
process.exit();
});
}
}
/**
* Validates settings to prevent command injection and ensure valid values
*/
private validateSettings(settings: IIpTableProxySettings): void {
// Validate port numbers
const validatePorts = (port: number | IPortRange | Array<number | IPortRange>) => {
if (Array.isArray(port)) {
port.forEach(p => validatePorts(p));
return;
}
if (typeof port === 'number') {
if (port < 1 || port > 65535) {
throw new Error(`Invalid port number: ${port}`);
}
} else if (typeof port === 'object') {
if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
throw new Error(`Invalid port range: ${port.from}-${port.to}`);
}
}
};
validatePorts(settings.fromPort);
validatePorts(settings.toPort);
// Define regex patterns at the method level so they're available throughout
const ipRegex = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
const ipv6Regex = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
// Validate IP addresses
const validateIPs = (ips?: string[]) => {
if (!ips) return;
for (const ip of ips) {
if (!ipRegex.test(ip) && !ipv6Regex.test(ip)) {
throw new Error(`Invalid IP address format: ${ip}`);
}
}
};
validateIPs(settings.allowedSourceIPs);
validateIPs(settings.bannedSourceIPs);
// Validate toHost - only allow hostnames or IPs
if (settings.toHost) {
const hostRegex = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
if (!hostRegex.test(settings.toHost) && !ipRegex.test(settings.toHost) && !ipv6Regex.test(settings.toHost)) {
throw new Error(`Invalid host format: ${settings.toHost}`);
}
}
}
/**
* Normalizes port specifications into an array of port ranges
*/
private normalizePortSpec(portSpec: number | IPortRange | Array<number | IPortRange>): IPortRange[] {
const result: IPortRange[] = [];
if (Array.isArray(portSpec)) {
// If it's an array, process each element
for (const spec of portSpec) {
result.push(...this.normalizePortSpec(spec));
}
} else if (typeof portSpec === 'number') {
// Single port becomes a range with the same start and end
result.push({ from: portSpec, to: portSpec });
} else {
// Already a range
result.push(portSpec);
}
return result;
}
/**
* Gets the appropriate iptables command based on settings
*/
private getIptablesCommand(isIpv6: boolean = false): string {
return isIpv6 ? 'ip6tables' : 'iptables';
}
/**
* Checks if a rule already exists in iptables
*/
private async ruleExists(table: string, command: string, isIpv6: boolean = false): Promise<boolean> {
try {
const iptablesCmd = this.getIptablesCommand(isIpv6);
const { stdout } = await execAsync(`${iptablesCmd}-save -t ${table}`);
// Convert the command to the format found in iptables-save output
// (This is a simplification - in reality, you'd need more parsing)
const rulePattern = command.replace(`${iptablesCmd} -t ${table} -A `, '-A ');
return stdout.split('\n').some(line => line.trim() === rulePattern);
} catch (err) {
this.log('error', `Failed to check if rule exists: ${err}`);
return false;
}
}
/**
* Sets up a custom chain for better rule management
*/
private async setupCustomChain(isIpv6: boolean = false): Promise<boolean> {
if (!this.customChain) return true;
const iptablesCmd = this.getIptablesCommand(isIpv6);
const table = 'nat';
try {
// Create the chain
await execAsync(`${iptablesCmd} -t ${table} -N ${this.customChain}`);
this.log('info', `Created custom chain: ${this.customChain}`);
// Add jump rule to PREROUTING chain
const jumpCommand = `${iptablesCmd} -t ${table} -A PREROUTING -j ${this.customChain} -m comment --comment "${this.ruleTag}:JUMP"`;
await execAsync(jumpCommand);
this.log('info', `Added jump rule to ${this.customChain}`);
// Store the jump rule
this.rules.push({
table,
chain: 'PREROUTING',
command: jumpCommand,
tag: `${this.ruleTag}:JUMP`,
added: true
});
return true;
} catch (err) {
this.log('error', `Failed to set up custom chain: ${err}`);
return false;
}
}
/**
* Add a source IP filter rule
*/
private async addSourceIPFilter(isIpv6: boolean = false): Promise<boolean> {
if (!this.settings.allowedSourceIPs && !this.settings.bannedSourceIPs) {
return true;
}
const iptablesCmd = this.getIptablesCommand(isIpv6);
const table = 'nat';
const chain = this.customChain || 'PREROUTING';
try {
// Add banned IPs first (explicit deny)
if (this.settings.bannedSourceIPs && this.settings.bannedSourceIPs.length > 0) {
for (const ip of this.settings.bannedSourceIPs) {
const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -j DROP -m comment --comment "${this.ruleTag}:BANNED"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
continue;
}
await execAsync(command);
this.log('info', `Added banned IP rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:BANNED`,
added: true
});
}
}
// Add allowed IPs (explicit allow)
if (this.settings.allowedSourceIPs && this.settings.allowedSourceIPs.length > 0) {
// First add a default deny for all
const denyAllCommand = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} -j DROP -m comment --comment "${this.ruleTag}:DENY_ALL"`;
// Add allow rules for specific IPs
for (const ip of this.settings.allowedSourceIPs) {
const command = `${iptablesCmd} -t ${table} -A ${chain} -s ${ip} -p ${this.settings.protocol} -j ACCEPT -m comment --comment "${this.ruleTag}:ALLOWED"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
continue;
}
await execAsync(command);
this.log('info', `Added allowed IP rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:ALLOWED`,
added: true
});
}
// Now add the default deny after all allows
if (this.settings.checkExistingRules && await this.ruleExists(table, denyAllCommand, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${denyAllCommand}`);
} else {
await execAsync(denyAllCommand);
this.log('info', `Added default deny rule: ${denyAllCommand}`);
this.rules.push({
table,
chain,
command: denyAllCommand,
tag: `${this.ruleTag}:DENY_ALL`,
added: true
});
}
}
return true;
} catch (err) {
this.log('error', `Failed to add source IP filter rules: ${err}`);
return false;
}
}
/**
* Adds a port forwarding rule
*/
private async addPortForwardingRule(
fromPortRange: IPortRange,
toPortRange: IPortRange,
isIpv6: boolean = false
): Promise<boolean> {
const iptablesCmd = this.getIptablesCommand(isIpv6);
const table = 'nat';
const chain = this.customChain || 'PREROUTING';
try {
// Handle single port case
if (fromPortRange.from === fromPortRange.to && toPortRange.from === toPortRange.to) {
// Single port forward
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from} ` +
`-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from} ` +
`-m comment --comment "${this.ruleTag}:DNAT"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
} else {
await execAsync(command);
this.log('info', `Added port forwarding rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:DNAT`,
added: true
});
}
} else if (fromPortRange.to - fromPortRange.from === toPortRange.to - toPortRange.from) {
// Port range forward with equal ranges
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPortRange.from}:${fromPortRange.to} ` +
`-j DNAT --to-destination ${this.settings.toHost}:${toPortRange.from}-${toPortRange.to} ` +
`-m comment --comment "${this.ruleTag}:DNAT_RANGE"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
} else {
await execAsync(command);
this.log('info', `Added port range forwarding rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:DNAT_RANGE`,
added: true
});
}
} else {
// Unequal port ranges need individual rules
for (let i = 0; i <= fromPortRange.to - fromPortRange.from; i++) {
const fromPort = fromPortRange.from + i;
const toPort = toPortRange.from + i % (toPortRange.to - toPortRange.from + 1);
const command = `${iptablesCmd} -t ${table} -A ${chain} -p ${this.settings.protocol} --dport ${fromPort} ` +
`-j DNAT --to-destination ${this.settings.toHost}:${toPort} ` +
`-m comment --comment "${this.ruleTag}:DNAT_INDIVIDUAL"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, command, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${command}`);
continue;
}
await execAsync(command);
this.log('info', `Added individual port forwarding rule: ${command}`);
this.rules.push({
table,
chain,
command,
tag: `${this.ruleTag}:DNAT_INDIVIDUAL`,
added: true
});
}
}
// If preserveSourceIP is false, add a MASQUERADE rule
if (!this.settings.preserveSourceIP) {
// For port range
const masqCommand = `${iptablesCmd} -t nat -A POSTROUTING -p ${this.settings.protocol} -d ${this.settings.toHost} ` +
`--dport ${toPortRange.from}:${toPortRange.to} -j MASQUERADE ` +
`-m comment --comment "${this.ruleTag}:MASQ"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists('nat', masqCommand, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${masqCommand}`);
} else {
await execAsync(masqCommand);
this.log('info', `Added MASQUERADE rule: ${masqCommand}`);
this.rules.push({
table: 'nat',
chain: 'POSTROUTING',
command: masqCommand,
tag: `${this.ruleTag}:MASQ`,
added: true
});
}
}
return true;
} catch (err) {
this.log('error', `Failed to add port forwarding rule: ${err}`);
// Try to roll back any rules that were already added
await this.rollbackRules();
return false;
}
}
/**
* Special handling for NetworkProxy integration
*/
private async setupNetworkProxyIntegration(isIpv6: boolean = false): Promise<boolean> {
if (!this.settings.netProxyIntegration?.enabled) {
return true;
}
const netProxyConfig = this.settings.netProxyIntegration;
const iptablesCmd = this.getIptablesCommand(isIpv6);
const table = 'nat';
const chain = this.customChain || 'PREROUTING';
try {
// If redirectLocalhost is true, set up special rule to redirect localhost traffic to NetworkProxy
if (netProxyConfig.redirectLocalhost && netProxyConfig.sslTerminationPort) {
const redirectCommand = `${iptablesCmd} -t ${table} -A OUTPUT -p tcp -d 127.0.0.1 -j REDIRECT ` +
`--to-port ${netProxyConfig.sslTerminationPort} ` +
`-m comment --comment "${this.ruleTag}:NETPROXY_REDIRECT"`;
// Check if rule already exists
if (this.settings.checkExistingRules && await this.ruleExists(table, redirectCommand, isIpv6)) {
this.log('info', `Rule already exists, skipping: ${redirectCommand}`);
} else {
await execAsync(redirectCommand);
this.log('info', `Added NetworkProxy redirection rule: ${redirectCommand}`);
this.rules.push({
table,
chain: 'OUTPUT',
command: redirectCommand,
tag: `${this.ruleTag}:NETPROXY_REDIRECT`,
added: true
});
}
}
return true;
} catch (err) {
this.log('error', `Failed to set up NetworkProxy integration: ${err}`);
return false;
}
}
/**
* Rolls back rules that were added in case of error
*/
private async rollbackRules(): Promise<void> {
// Process rules in reverse order (LIFO)
for (let i = this.rules.length - 1; i >= 0; i--) {
const rule = this.rules[i];
if (rule.added) {
try {
// Convert -A (add) to -D (delete)
const deleteCommand = rule.command.replace('-A', '-D');
await execAsync(deleteCommand);
this.log('info', `Rolled back rule: ${deleteCommand}`);
rule.added = false;
} catch (err) {
this.log('error', `Failed to roll back rule: ${err}`);
}
}
}
}
/**
* Sets up iptables rules for port forwarding with enhanced features
*/
public async start(): Promise<void> {
// Optionally clean the slate first
if (this.settings.forceCleanSlate) {
await IPTablesProxy.cleanSlate();
}
// First set up any custom chains
if (this.settings.addJumpRule) {
const chainSetupSuccess = await this.setupCustomChain();
if (!chainSetupSuccess) {
throw new Error('Failed to set up custom chain');
}
// For IPv6 if enabled
if (this.settings.ipv6Support) {
const chainSetupSuccessIpv6 = await this.setupCustomChain(true);
if (!chainSetupSuccessIpv6) {
this.log('warn', 'Failed to set up IPv6 custom chain, continuing with IPv4 only');
}
}
}
// Add source IP filters
await this.addSourceIPFilter();
if (this.settings.ipv6Support) {
await this.addSourceIPFilter(true);
}
// Set up NetworkProxy integration if enabled
if (this.settings.netProxyIntegration?.enabled) {
const netProxySetupSuccess = await this.setupNetworkProxyIntegration();
if (!netProxySetupSuccess) {
this.log('warn', 'Failed to set up NetworkProxy integration');
}
if (this.settings.ipv6Support) {
await this.setupNetworkProxyIntegration(true);
}
}
// Normalize port specifications
const fromPortRanges = this.normalizePortSpec(this.settings.fromPort);
const toPortRanges = this.normalizePortSpec(this.settings.toPort);
// Handle the case where fromPort and toPort counts don't match
if (fromPortRanges.length !== toPortRanges.length) {
if (toPortRanges.length === 1) {
// If there's only one toPort, use it for all fromPorts
for (const fromRange of fromPortRanges) {
await this.addPortForwardingRule(fromRange, toPortRanges[0]);
if (this.settings.ipv6Support) {
await this.addPortForwardingRule(fromRange, toPortRanges[0], true);
}
}
} else {
throw new Error('Mismatched port counts: fromPort and toPort arrays must have equal length or toPort must be a single value');
}
} else {
// Add port forwarding rules for each port specification
for (let i = 0; i < fromPortRanges.length; i++) {
await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i]);
if (this.settings.ipv6Support) {
await this.addPortForwardingRule(fromPortRanges[i], toPortRanges[i], true);
}
}
}
// Final check - ensure we have at least one rule added
if (this.rules.filter(r => r.added).length === 0) {
throw new Error('No rules were added');
}
}
/**
* Removes all added iptables rules
*/
public async stop(): Promise<void> {
// Process rules in reverse order (LIFO)
for (let i = this.rules.length - 1; i >= 0; i--) {
const rule = this.rules[i];
if (rule.added) {
try {
// Convert -A (add) to -D (delete)
const deleteCommand = rule.command.replace('-A', '-D');
await execAsync(deleteCommand);
this.log('info', `Removed rule: ${deleteCommand}`);
rule.added = false;
} catch (err) {
this.log('error', `Failed to remove rule: ${err}`);
}
}
}
// If we created a custom chain, we need to clean it up
if (this.customChain) {
try {
// First flush the chain
await execAsync(`iptables -t nat -F ${this.customChain}`);
this.log('info', `Flushed custom chain: ${this.customChain}`);
// Then delete it
await execAsync(`iptables -t nat -X ${this.customChain}`);
this.log('info', `Deleted custom chain: ${this.customChain}`);
// Same for IPv6 if enabled
if (this.settings.ipv6Support) {
try {
await execAsync(`ip6tables -t nat -F ${this.customChain}`);
await execAsync(`ip6tables -t nat -X ${this.customChain}`);
this.log('info', `Deleted IPv6 custom chain: ${this.customChain}`);
} catch (err) {
this.log('error', `Failed to delete IPv6 custom chain: ${err}`);
}
}
} catch (err) {
this.log('error', `Failed to delete custom chain: ${err}`);
}
}
// Clear rules array
this.rules = [];
}
/**
* Synchronous version of stop, for use in exit handlers
*/
public stopSync(): void {
// Process rules in reverse order (LIFO)
for (let i = this.rules.length - 1; i >= 0; i--) {
const rule = this.rules[i];
if (rule.added) {
try {
// Convert -A (add) to -D (delete)
const deleteCommand = rule.command.replace('-A', '-D');
execSync(deleteCommand);
this.log('info', `Removed rule: ${deleteCommand}`);
rule.added = false;
} catch (err) {
this.log('error', `Failed to remove rule: ${err}`);
}
}
}
// If we created a custom chain, we need to clean it up
if (this.customChain) {
try {
// First flush the chain
execSync(`iptables -t nat -F ${this.customChain}`);
// Then delete it
execSync(`iptables -t nat -X ${this.customChain}`);
this.log('info', `Deleted custom chain: ${this.customChain}`);
// Same for IPv6 if enabled
if (this.settings.ipv6Support) {
try {
execSync(`ip6tables -t nat -F ${this.customChain}`);
execSync(`ip6tables -t nat -X ${this.customChain}`);
} catch (err) {
// IPv6 failures are non-critical
}
}
} catch (err) {
this.log('error', `Failed to delete custom chain: ${err}`);
}
}
// Clear rules array
this.rules = [];
}
/**
* Asynchronously cleans up any iptables rules in the nat table that were added by this module.
* It looks for rules with comments containing "IPTablesProxy:".
*/
public static async cleanSlate(): Promise<void> {
await IPTablesProxy.cleanSlateInternal();
// Also clean IPv6 rules
await IPTablesProxy.cleanSlateInternal(true);
}
/**
* Internal implementation of cleanSlate with IPv6 support
*/
private static async cleanSlateInternal(isIpv6: boolean = false): Promise<void> {
const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
try {
const { stdout } = await execAsync(`${iptablesCmd}-save -t nat`);
const lines = stdout.split('\n');
const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
// First, find and remove any custom chains
const customChains = new Set<string>();
const jumpRules: string[] = [];
for (const line of proxyLines) {
if (line.includes('IPTablesProxy:JUMP')) {
// Extract chain name from jump rule
const match = line.match(/\s+-j\s+(\S+)\s+/);
if (match && match[1].startsWith('IPTablesProxy_')) {
customChains.add(match[1]);
jumpRules.push(line);
}
}
}
// Remove jump rules first
for (const line of jumpRules) {
const trimmedLine = line.trim();
if (trimmedLine.startsWith('-A')) {
// Replace the "-A" with "-D" to form a deletion command
const deleteRule = trimmedLine.replace('-A', '-D');
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
try {
await execAsync(cmd);
console.log(`Cleaned up iptables jump rule: ${cmd}`);
} catch (err) {
console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
}
}
}
// Then remove all other rules
for (const line of proxyLines) {
if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
const trimmedLine = line.trim();
if (trimmedLine.startsWith('-A')) {
// Replace the "-A" with "-D" to form a deletion command
const deleteRule = trimmedLine.replace('-A', '-D');
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
try {
await execAsync(cmd);
console.log(`Cleaned up iptables rule: ${cmd}`);
} catch (err) {
console.error(`Failed to remove iptables rule: ${cmd}`, err);
}
}
}
}
// Finally clean up custom chains
for (const chain of customChains) {
try {
// Flush the chain
await execAsync(`${iptablesCmd} -t nat -F ${chain}`);
console.log(`Flushed custom chain: ${chain}`);
// Delete the chain
await execAsync(`${iptablesCmd} -t nat -X ${chain}`);
console.log(`Deleted custom chain: ${chain}`);
} catch (err) {
console.error(`Failed to delete custom chain ${chain}:`, err);
}
}
} catch (err) {
console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
}
}
/**
* Synchronously cleans up any iptables rules in the nat table that were added by this module.
* It looks for rules with comments containing "IPTablesProxy:".
* This method is intended for use in process exit handlers.
*/
public static cleanSlateSync(): void {
IPTablesProxy.cleanSlateSyncInternal();
// Also clean IPv6 rules
IPTablesProxy.cleanSlateSyncInternal(true);
}
/**
* Internal implementation of cleanSlateSync with IPv6 support
*/
private static cleanSlateSyncInternal(isIpv6: boolean = false): void {
const iptablesCmd = isIpv6 ? 'ip6tables' : 'iptables';
try {
const stdout = execSync(`${iptablesCmd}-save -t nat`).toString();
const lines = stdout.split('\n');
const proxyLines = lines.filter(line => line.includes('IPTablesProxy:'));
// First, find and remove any custom chains
const customChains = new Set<string>();
const jumpRules: string[] = [];
for (const line of proxyLines) {
if (line.includes('IPTablesProxy:JUMP')) {
// Extract chain name from jump rule
const match = line.match(/\s+-j\s+(\S+)\s+/);
if (match && match[1].startsWith('IPTablesProxy_')) {
customChains.add(match[1]);
jumpRules.push(line);
}
}
}
// Remove jump rules first
for (const line of jumpRules) {
const trimmedLine = line.trim();
if (trimmedLine.startsWith('-A')) {
// Replace the "-A" with "-D" to form a deletion command
const deleteRule = trimmedLine.replace('-A', '-D');
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
try {
execSync(cmd);
console.log(`Cleaned up iptables jump rule: ${cmd}`);
} catch (err) {
console.error(`Failed to remove iptables jump rule: ${cmd}`, err);
}
}
}
// Then remove all other rules
for (const line of proxyLines) {
if (!line.includes('IPTablesProxy:JUMP')) { // Skip jump rules we already handled
const trimmedLine = line.trim();
if (trimmedLine.startsWith('-A')) {
const deleteRule = trimmedLine.replace('-A', '-D');
const cmd = `${iptablesCmd} -t nat ${deleteRule}`;
try {
execSync(cmd);
console.log(`Cleaned up iptables rule: ${cmd}`);
} catch (err) {
console.error(`Failed to remove iptables rule: ${cmd}`, err);
}
}
}
}
// Finally clean up custom chains
for (const chain of customChains) {
try {
// Flush the chain
execSync(`${iptablesCmd} -t nat -F ${chain}`);
// Delete the chain
execSync(`${iptablesCmd} -t nat -X ${chain}`);
console.log(`Deleted custom chain: ${chain}`);
} catch (err) {
console.error(`Failed to delete custom chain ${chain}:`, err);
}
}
} catch (err) {
console.error(`Failed to run ${iptablesCmd}-save: ${err}`);
}
}
/**
* Logging utility that respects the enableLogging setting
*/
private log(level: 'info' | 'warn' | 'error', message: string): void {
if (!this.settings.enableLogging && level === 'info') {
return;
}
const timestamp = new Date().toISOString();
switch (level) {
case 'info':
console.log(`[${timestamp}] [INFO] ${message}`);
break;
case 'warn':
console.warn(`[${timestamp}] [WARN] ${message}`);
break;
case 'error':
console.error(`[${timestamp}] [ERROR] ${message}`);
break;
}
}
}