First ability to block an IP that connects to a landmine port. Next looking at firewall_toolkit.

cmd/dentata/main.go

@@ -5,20 +5,55 @@ import (
 	"net"
 	"log"
 	"bufio"
+	"flag"
+	"os/exec"
 )
 
+type Options struct {
+	Addr string
+}
+
+func ParseOptions() Options {
+	var opts Options
+
+	flag.StringVar(&opts.Addr, "addr", "127.0.0.1:9001", "address to bind to recv blocks")
+	flag.Parse()
+
+	return opts
+}
+
 func handleConnection(conn net.Conn) {
 	defer conn.Close()
 
 	scan := bufio.NewScanner(conn)
 
 	for scan.Scan() {
-		addr := scan.Text()
+		addr, _, err := net.SplitHostPort(scan.Text())
+		if err != nil {
+			fmt.Println("Invalid host:port")
+			continue
+		}
+
+		if addr == "127.0.0.1" {
+			fmt.Println("IGNORE", addr)
+			continue
+		}
+
 		fmt.Println("BLOCK: ", addr)
+
+		cmd := exec.Command("nft",
+			"add", "rule", "inet",
+			"dentata", "input",
+			"ip", "saddr",
+			addr, "drop")
+
+		err = cmd.Run()
+		if err != nil {
+			panic(err)
+		}
 	}
 }
 
-
 func listener(addr string) {
 	server, err := net.Listen("tcp", addr)
 
@@ -36,5 +71,7 @@ func listener(addr string) {
 }
 
 func main() {
-	listener("127.0.0.1:9001")
+	opts := ParseOptions()
+
+	listener(opts.Addr)
 }

cmd/landmine/main.go

@@ -6,8 +6,26 @@ import (
 	"log"
 	"sync"
 	"syscall"
+	"flag"
 )
 
+type Options struct {
+	ConfigPath string
+	Jail bool
+}
+
+func ParseOptions() Options {
+	var opts Options
+
+	flag.StringVar(&opts.ConfigPath, "config", "dentata.json", "config.json to load")
+	flag.BoolVar(&opts.Jail, "jail", false, "drop to low priv jail")
+
+	flag.Parse()
+
+	return opts
+}
+
+
 func handleConnection(conn net.Conn) {
 	defer conn.Close()
 	addr := conn.RemoteAddr()
@@ -53,6 +71,8 @@ func ChrootJailLOL() {
 }
 
 func main() {
+	opts := ParseOptions()
+
 	var wg sync.WaitGroup
 
 	for i := 0; i < 10; i++ {
@@ -61,8 +81,9 @@ func main() {
 		})
 	}
 
-	//BUG: ain't no way this works, learn to do it right
-	ChrootJailLOL()
+	if opts.Jail {
+		ChrootJailLOL()
+	}
 
 	wg.Wait()
 }