log iptables rules

NordSecurity · Dec 12, 2024 · 12cf441 · 12cf441
1 parent bdcbc29
commit 12cf441
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/daemon/firewall/iptables/iptables.go b/daemon/firewall/iptables/iptables.go
@@ -106,6 +106,16 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error {
 			continue
 		}
 		for _, ipTableRule := range ipTablesRules {
+			if !rule.Allow {
+				prefix := fmt.Sprintf("-j LOG --log-prefix \"LOG-pre-%s\" --log-level 4", rule.Name)
+				log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix)
+				logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1)
+				args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule)
+				out, err := exec.Command(iptableVersion, strings.Split(args, " ")...).CombinedOutput()
+				if err != nil {
+					log.Printf(internal.ErrorPrefix+" [iptables-debug]"+" failed to add rule: %ss: %s", err, string(out))
+				}
+			}
 			// -w does not accept arguments on older iptables versions
 			args := fmt.Sprintf("%s %s -w "+internal.SecondsToWaitForIptablesLock, flag, ipTableRule)
 			// #nosec G204 -- input is properly sanitized
@@ -116,6 +126,17 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error {
 				}
 				return fmt.Errorf("%s %s rule '%s': %w: %s", errStr, iptableVersion, ipTableRule, err, string(out))
 			}
+
+			if !rule.Allow {
+				prefix := fmt.Sprintf("-j LOG --log-prefix \"LOG-post-%s\" --log-level 4", rule.Name)
+				log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix)
+				logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1)
+				args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule)
+				out, err := exec.Command(iptableVersion, strings.Split(args, " ")...).CombinedOutput()
+				if err != nil {
+					log.Printf(internal.ErrorPrefix+"[iptables-debug]"+" failed to add rule: %s: %s", err, string(out))
+				}
+			}
 		}
 	}
 	return nil

diff --git a/test/qa/test_connect.py b/test/qa/test_connect.py
@@ -23,6 +23,12 @@ def teardown_function(function):  # noqa: ARG001
     logging.log(data=info.collect())
     logging.log()
 
+    kernel_logs = sh.sudo.dmesg()
+    # Write the logs to the output file
+    with open("/opt/dist/logs/dmesg.log", "w") as file:
+        file.write("dmesg logs")
+        file.write(str(kernel_logs))
+
     sh.nordvpn.logout("--persist-token")
     sh.nordvpn.set.defaults()
     daemon.stop()