log bad rcon requests at info level

include client ip in log

CHANGELOG.md

@@ -11,12 +11,47 @@ Before any major/minor/patch bump all unit tests will be run to verify they pass
 
 -   [x]
 
+## [0.6.0] - 2024-03-21
+
+### Added
+
+-   new environment variable `Q3RCON_DEBUG` for enabling debug logging. Defaults to 0.
+-   rcon responses are now logged at debug level
+-   invalid responses (rcon and query) now logged
+
+### Changed
+
+-   All packet header checking methods moved into Session struct.
+
+### Fixed
+
+-   a bug causing the proxy not to send back query responses
+
+## [0.3.0] - 2024-03-08
+
+### Added
+
+-   outgoing rcon requests now logged at info level
+-   new environment variable `Q3RCON_HOST` for specifying which ip to bind the proxy to. Defaults to `0.0.0.0`.
+
+### Changed
+
+-   now using [logrus][logrus] package for logging.
+
+### Fixed
+
+-   a `slice bounds out of range` error due to query packets being logged.
+
 ## [0.1.0] - 2024-01-27
 
--   ignore any packets whose header does match a q3 rcon/query packet.
+### Added
+
+-   only forward packets if the header matches q3 rcon/query.
 
 ## [0.0.1] - 2024-01-27
 
 ### Added
 
 -   All source files for lilproxy including full commit history.
+
+[logrus]: https://github.com/sirupsen/logrus

Dockerfile

@@ -1,12 +1,14 @@
-FROM golang:alpine
+FROM golang:1.21
 
-WORKDIR /dist
+WORKDIR /usr/src/app
 
-COPY . .
-
-# build binary and place into /usr/local/bin
+# pre-copy/cache go.mod for pre-downloading dependencies and only redownloading them in subsequent builds if they change
+COPY go.mod go.sum ./
 RUN go mod download && go mod verify
-RUN go build -v -o /usr/local/bin/q3rcon-proxy ./cmd/q3rcon-proxy
+
+# build binary and place into /usr/local/bin/
+COPY . .
+RUN go build -v -o /usr/local/bin/q3rcon-proxy ./cmd/q3rcon-proxy/
 
 # Command to run when starting the container
 ENTRYPOINT [ "q3rcon-proxy" ]

README.md

@@ -12,17 +12,17 @@ for example:
 export Q3RCON_PROXY="20000:28960;20001:28961;20002:28962"
 ```
 
-This would run 3 proxy servers listening on ports `20000`, `20001` and `20002` that redirect rcon requests to game servers on ports `28960`, `28961` and `28962` respectively.
+This would configure q3rcon-proxy to run 3 proxy servers listening on ports `20000`, `20001` and `20002` that redirect rcon requests to game servers on ports `28960`, `28961` and `28962` respectively.
+
+Then just run the binary which you can compile yourself, download from `Releases` or use the included Dockerfile.
 
 ### Why
 
-Avoid sending plaintext rcon requests (that include the password) to public ports. Instead send them to whitelisted ports.
-
-Gives you the option to disable remote rcon entirely and have the server accept requests only from localhost.
+Avoid sending plaintext rcon commands to the public game server port. In general I would advise anyone using rcon remotely to use a secured connection but perhaps you've passed rcon to a clan friend who doesn't know about secured connections. Now you can instruct them to use rcon only through a whitelisted port.
 
 ### Special Thanks
 
-[Dylan][user_link] For writing this proxy.
+[Dylan][user_link] For writing [lilproxy][lilproxy_url].
 
 [lilproxy_url]: https://github.com/dgparker/lilproxy
 [user_link]: https://github.com/dgparker

cmd/q3rcon-proxy/main.go

@@ -2,10 +2,12 @@ package main
 
 import (
 	"fmt"
-	"log"
 	"os"
+	"strconv"
 	"strings"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/onyx-and-iris/q3rcon-proxy/pkg/udpproxy"
 )
 
@@ -15,22 +17,57 @@ func start(proxy string) {
 		return x[0], x[1]
 	}()
 
-	c, err := udpproxy.New(fmt.Sprintf("0.0.0.0:%s", port), fmt.Sprintf("127.0.0.1:%s", target))
+	c, err := udpproxy.New(fmt.Sprintf("%s:%s", host, port), fmt.Sprintf("127.0.0.1:%s", target))
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	log.Printf("q3rcon-proxy initialized: [proxy] (0.0.0.0:%s) [target] (127.0.0.1:%s)", port, target)
+	log.Printf("q3rcon-proxy initialized: [proxy] (%s:%s) [target] (127.0.0.1:%s)", host, port, target)
 
 	log.Fatal(c.ListenAndServe())
 }
 
-func main() {
-	proxies := os.Getenv("Q3RCON_PROXY")
+var (
+	proxies, host string
+)
+
+func getenvInt(key string) (int, error) {
+	s := os.Getenv(key)
+	if s == "" {
+		return 0, nil
+	}
+	v, err := strconv.Atoi(s)
+	if err != nil {
+		return 0, err
+	}
+	return v, nil
+}
+
+func init() {
+	proxies = os.Getenv("Q3RCON_PROXY")
 	if proxies == "" {
 		log.Fatal("env Q3RCON_PROXY required")
 	}
 
+	host = os.Getenv("Q3RCON_HOST")
+	if host == "" {
+		host = "0.0.0.0"
+	}
+
+	debug, err := getenvInt("Q3RCON_DEBUG")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if debug == 1 {
+		log.SetLevel(log.DebugLevel)
+	} else {
+		log.SetLevel(log.InfoLevel)
+	}
+
+}
+
+func main() {
 	for _, proxy := range strings.Split(proxies, ";") {
 		go start(proxy)
 	}

debian/q3rcon-proxy.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Q3Rcon Proxy Service
+Wants=network.target
+After=network.target
+
+[Service]
+Type=simple
+User=gameservers
+Environment="Q3RCON_PROXY=20000:28960;20001:28961;20002:28962"
+Environment="Q3RCON_HOST=0.0.0.0"
+Environment="Q3RCON_DEBUG=0"
+
+ExecStart=/usr/local/bin/q3rcon-proxy
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target

go.mod

@@ -1,3 +1,7 @@
 module github.com/onyx-and-iris/q3rcon-proxy
 
 go 1.18
+
+require github.com/sirupsen/logrus v1.9.3
+
+require golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect

go.sum

@@ -0,0 +1,15 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/udpproxy/session.go

@@ -1,25 +1,30 @@
 package udpproxy
 
 import (
-	"log"
+	"errors"
 	"net"
+	"strings"
 	"time"
+
+	log "github.com/sirupsen/logrus"
 )
 
-type Session struct {
+type session struct {
 	serverConn *net.UDPConn
 	proxyConn  *net.UDPConn
 	caddr      *net.UDPAddr
 	updateTime time.Time
+
+	validator
 }
 
-func createSession(caddr *net.UDPAddr, raddr *net.UDPAddr, proxyConn *net.UDPConn) (*Session, error) {
+func newSession(caddr *net.UDPAddr, raddr *net.UDPAddr, proxyConn *net.UDPConn) (*session, error) {
 	serverConn, err := net.DialUDP("udp", nil, raddr)
 	if err != nil {
 		return nil, err
 	}
 
-	session := &Session{
+	session := &session{
 		serverConn: serverConn,
 		proxyConn:  proxyConn,
 		caddr:      caddr,
@@ -31,12 +36,12 @@ func createSession(caddr *net.UDPAddr, raddr *net.UDPAddr, proxyConn *net.UDPCon
 	return session, nil
 }
 
-func (s *Session) listen() error {
+func (s *session) listen() error {
 	for {
 		buf := make([]byte, 2048)
 		n, err := s.serverConn.Read(buf)
 		if err != nil {
-			log.Println(err)
+			log.Error(err)
 			continue
 		}
 
@@ -44,24 +49,49 @@ func (s *Session) listen() error {
 	}
 }
 
-func (s *Session) proxyFrom(buf []byte) error {
+func (s *session) proxyFrom(buf []byte) error {
+	if !s.isValidResponsePacket(buf) {
+		err := errors.New("not a rcon or query response packet")
+		log.Error(err.Error())
+		return err
+	}
+
 	s.updateTime = time.Now()
 	_, err := s.proxyConn.WriteToUDP(buf, s.caddr)
 	if err != nil {
-		log.Println(err)
+		log.Error(err)
 		return err
 	}
 
+	if s.isRconResponsePacket(buf) {
+		if s.isBadRconRequest(buf) {
+			log.Infof("Response: Bad rcon from %s", s.caddr.IP)
+		} else {
+			log.Debugf("Response: %s", string(buf[10:]))
+		}
+	}
+
 	return nil
 }
 
-func (s *Session) proxyTo(buf []byte) error {
+func (s *session) proxyTo(buf []byte) error {
+	if !s.isValidRequestPacket(buf) {
+		err := errors.New("not a rcon or query request packet")
+		log.Error(err.Error())
+		return err
+	}
+
 	s.updateTime = time.Now()
 	_, err := s.serverConn.Write(buf)
 	if err != nil {
-		log.Println(err)
+		log.Error(err)
 		return err
 	}
 
+	if s.isRconRequestPacket(buf) {
+		parts := strings.Split(string(buf), " ")
+		log.Infof("From [%s] To [%s] Command: %s", s.caddr.IP, s.serverConn.RemoteAddr(), strings.Join(parts[2:], " "))
+	}
+
 	return nil
 }

pkg/udpproxy/udpproxy.go

@@ -1,10 +1,11 @@
 package udpproxy
 
 import (
-	"log"
 	"net"
 	"sync"
 	"time"
+
+	log "github.com/sirupsen/logrus"
 )
 
 type Client struct {
@@ -14,7 +15,7 @@ type Client struct {
 	proxyConn *net.UDPConn
 
 	mutex    sync.RWMutex
-	sessions map[string]*Session
+	sessions map[string]*session
 }
 
 func New(port, target string) (*Client, error) {
@@ -32,14 +33,10 @@ func New(port, target string) (*Client, error) {
 		laddr:    laddr,
 		raddr:    raddr,
 		mutex:    sync.RWMutex{},
-		sessions: map[string]*Session{},
+		sessions: map[string]*session{},
 	}, nil
 }
 
-func (c *Client) isValidPacket(header []byte) bool {
-	return string(header[:8]) == "\xff\xff\xff\xffrcon" || string(header[:13]) == "\xff\xff\xff\xffgetstatus" || string(header[:11]) == "\xff\xff\xff\xffgetinfo"
-}
-
 func (c *Client) ListenAndServe() error {
 	var err error
 	c.proxyConn, err = net.ListenUDP("udp", c.laddr)
@@ -53,18 +50,14 @@ func (c *Client) ListenAndServe() error {
 		buf := make([]byte, 2048)
 		n, caddr, err := c.proxyConn.ReadFromUDP(buf)
 		if err != nil {
-			log.Println(err)
-		}
-
-		if !c.isValidPacket(buf[:16]) {
-			continue
+			log.Error(err)
 		}
 
 		session, found := c.sessions[caddr.String()]
 		if !found {
-			session, err = createSession(caddr, c.raddr, c.proxyConn)
+			session, err = newSession(caddr, c.raddr, c.proxyConn)
 			if err != nil {
-				log.Println(err)
+				log.Error(err)
 				continue
 			}
 

pkg/udpproxy/udpproxy_test.go

@@ -1,83 +0,0 @@
-package udpproxy
-
-import (
-	"log"
-	"net"
-	"testing"
-	"time"
-)
-
-func TestSendAndReceive(t *testing.T) {
-	go runLilProxy()
-	go runUDPServer()
-
-	paddr, err := net.ResolveUDPAddr("udp", "localhost:9000")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	conn, err := net.DialUDP("udp", nil, paddr)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	go func() {
-		for {
-			buf := make([]byte, 2048)
-			_, _, err = conn.ReadFromUDP(buf)
-			if err != nil {
-				log.Fatal(err)
-			}
-
-			log.Printf("response received: %s", string(buf))
-		}
-	}()
-
-	for {
-		time.Sleep(1 * time.Second)
-		_, err = conn.Write([]byte("hi\n"))
-		if err != nil {
-			log.Fatal(err)
-		}
-	}
-}
-
-func runLilProxy() {
-	port := ":9000"
-	target := "localhost:9001"
-
-	c, err := New(port, target)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	log.Fatal(c.ListenAndServe())
-}
-
-func runUDPServer() {
-	taddr, err := net.ResolveUDPAddr("udp", ":9001")
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	conn, err := net.ListenUDP("udp", taddr)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	for {
-		buf := make([]byte, 2048)
-		_, caddr, err := conn.ReadFromUDP(buf)
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		log.Printf("request received: %s", string(buf))
-
-		_, err = conn.WriteToUDP([]byte("bye\n"), caddr)
-		if err != nil {
-			log.Fatal(err)
-		}
-
-	}
-}

pkg/udpproxy/validator.go

@@ -0,0 +1,32 @@
+package udpproxy
+
+type validator struct {
+}
+
+func (v *validator) isRconRequestPacket(buf []byte) bool {
+	return string(buf[:8]) == "\xff\xff\xff\xffrcon"
+}
+
+func (v *validator) isQueryRequestPacket(buf []byte) bool {
+	return string(buf[:13]) == "\xff\xff\xff\xffgetstatus" || string(buf[:11]) == "\xff\xff\xff\xffgetinfo"
+}
+
+func (v *validator) isValidRequestPacket(buf []byte) bool {
+	return v.isRconRequestPacket(buf) || v.isQueryRequestPacket(buf)
+}
+
+func (v *validator) isRconResponsePacket(buf []byte) bool {
+	return string(buf[:9]) == "\xff\xff\xff\xffprint"
+}
+
+func (v *validator) isQueryResponsePacket(buf []byte) bool {
+	return string(buf[:18]) == "\xff\xff\xff\xffstatusResponse" || string(buf[:16]) == "\xff\xff\xff\xffinfoResponse"
+}
+
+func (v *validator) isValidResponsePacket(buf []byte) bool {
+	return v.isRconResponsePacket(buf) || v.isQueryResponsePacket(buf)
+}
+
+func (v *validator) isBadRconRequest(buf []byte) bool {
+	return string(buf[10:18]) == "Bad rcon"
+}