sqredirect

Redirection and filtering Source Engine game traffic in a bundle with sqproxy

How it Works?

sqredirect attach eBPF filter(s) to network interface and manipulate with traffic targeting to game ports

eBPF is more efficient way to check/accept/drop packets in Linux

More in Wikipedia

BPF Performance Tools (book)

Firewall

As redirection and filtering processed before any firewall rules applied, you also need ensure target (redirect) ports are accessable from external network. If your server placed behind NAT and all rules live in router, you do not need do anything.

Requirements

• Linux
• Kernel version >= 4.4, check your by command: uname -r
• python2 or python3

Installation

TODO: Split into Ubuntu/Debian/Others like in bcc-tools README

Step 1: Install bcc-tools

• bcc-tools >= 0.10.0 (depends on Kernel version, see https://github.com/iovisor/bcc/releases)
  • Install instruction (non-Debian 10)
  • Install instruction (Debian 10)
  • You can check the current version via python -c 'import bcc; print(bcc.__version__);'

Step 2: Install sqredirect

python -m pip install sqredirect

https://pypi.org/project/sqredirect/

Usage

Automatically

Only by SQProxy

Non-root running

bcc-tools can't be used w/o root, see iovisor/bcc#1166

But you can use this snippet to restrict usage only to specified user/group:

TL;DR: move python redirect.py $@ to command and add permissions in /etc/sudoers

---

1. Copy content of this folder to /usr/src/sqredirect

2. Create file in /usr/local/bin/sqredirect with content:

   #!/bin/bash
   
   cd /usr/src/sqredirect
   exec python2 /usr/src/sqredirect/redirect.py $@

3. chmod +x /usr/local/bin/sqredirect

4. Create group network and add user to group

   addgroup network
   usermod -aG network <user-which-should-it-run>

5. Allow run sqredirect command w/o root privileges

   echo "%network ALL=(root) NOPASSWD: /usr/local/bin/sqredirect" > /etc/sudoers.d/network

More about sudoers: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file

Troubleshooting

Problem: I can't reach my server through network

Solution: Rollback any changes at network level, run in console (if you have access):

tc qdisc del dev eth0 root

replace eth0 with your interface name

Dive into Traffic Control

eBPF provide simple way to control traffic. But it's based on great Linux architecture of Traffic Control (TC).

More about TC you can learn in this document: https://people.netfilter.org/pablo/netdev0.1/papers/Linux-Traffic-Control-Classifier-Action-Subsystem-Architecture.pdf