rooter iptables rules should be cleaned up properly upon unexpected stop

[azza39925]

When I try to use rooter with the internet routing I seem to not get any communication from the agent. Then after a while, the rooter will crash. Everything was working before i used rooter. Everything like agent having admin rights and network settings is correct. All "#" have been removed and changed to "//" for readability

rooter error

Traceback (most recent call last): File "/usr/local/bin/cuckoo", line 11, in load_entry_point('Cuckoo==2.0.2', 'console_scripts', 'cuckoo')() File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 716, in call return self.main(args, kwargs) File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 696, in main rv = self.invoke(ctx) File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 1060, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 889, in invoke return ctx.invoke(self.callback, ctx.params) File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 534, in invoke return callback(args, *kwargs) File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 17, in new_func return f(get_current_context(), args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/cuckoo/main.py", line 360, in rooter cuckoo_rooter(socket, group, ifconfig, service, iptables, ip) File "/usr/local/lib/python2.7/dist-packages/cuckoo/apps/rooter.py", line 351, in cuckoo_rooter command, addr = server.recvfrom(4096) socket.error: [Errno 4] Interrupted system call

routing.conf

[routing] route = internet

internet = wlp2s0

rt_table = main

/etc/iproute2/rt_tables

// reserved values

255 local 254 main 253 default 0 unspec

// local

//1 inr.ruhep

400 wlp2s0

[azza39925]

I was able to fix this by changing the iptables manually, and adding the rule to accept connections back to the default gateway. Also i noticed that when rooter closes it doesn't cleanup the iptable rules. Then what happens if it doesn't flush the rules they will double up and cause issues.

[jbremer]

Yeah, that's kind of the task of the Cuckoo daemon rather than the Cuckoo Rooter. The Rooter is, currently, a simple state-less API for a set of root commands. Ideas on improving this in Cuckoo would be great, perhaps we should implement some additional cleanup methods or so.

[rholloway]

I think some better cleanup methods throughout are probably needed for iptables. I just got into a strange situation where every other analysis job would fail because the agent couldn't reach the result server. I managed to fix it by restoring the initial iptables and restarting cuckoo services and seems to be gone for now, but I imagine the state will get messed up again if I restart cuckoo services more.

For me, it seems as though the rules to accept from guest destined for resultserver were not created for some jobs and everything was simply being dropped.

This is also using internet mode fwiw.

[jbremer]

The rooter crash has now been addressed, see also the commit above. With regards to the iptables rules not being cleaned up correctly, I hope to address that properly in Cuckoo sometime. Will keep this issue alive, but change the title accordingly.

Idea: clean up all of the iptables rules on Cuckoo startup - or at least those rules that are known for the VMs that have been configured. In the end there's not much we can do in Cuckoo if somebody decides to killall / kill -9 our processes. Doing cleanup at startup would still work in that case.