catflap 0.0.2 → 1.0.1

data/lib/catflap/plugins/firewall/iptables.rb

@@ -0,0 +1,104 @@
+require 'catflap/plugins/firewall/plugin'
+require 'netfilter/writer'
+include NetfilterWriter
+
+##
+# A firewall plugin driver to implement rules on the NetFilter filter table.
+#
+# This driver passes rules to the filter table via the iptables user-space
+# client.Two new chains are installed in the filter table, named by default:
+# CATFLAP-DENY and CATFLAP-ALLOW. These are installed in the INPUT chain. You
+# can configure the driver to install a LOG to log rejected packets, and also
+# whether to REJECT or DROP denied packets.
+#
+# If you want to redirect to the Catflap server login port instead, then you
+# should use the 'netfilter' driver instead, which is the default.
+#
+# @example firewall: plugin: 'iptables'
+#
+# @author Nyk Cowham <nykcowham@gmail.com>
+class IptablesDriver < FirewallPlugin
+  # Initialize the driver class.
+  # @param [Hash<String, Hash>] config built by Catflap::initialize_config()
+  # @param [Boolean] noop set true to not send commands to firewall client.
+  # @param [Boolean] verbose set true to print command output to stdout stream.
+  # @return void
+  def initialize(config, noop, verbose)
+    super
+    @chain = config['firewall']['options']['chain'] || 'CATFLAP'
+    @log_rejected = config['firewall']['options']['log_rejected'] || false
+    @accept_local = config['firewall']['options']['accept_local'] || false
+    @policy = config['firewall']['options']['reject_policy'].to_sym || :drop
+    @allow = @chain + '-ALLOW'
+    @deny = @chain + '-DENY'
+    @r = Rules.new(:filter, @dports)
+    @r.match('multiport')
+    @r.noop = noop
+    @r.verbose = verbose
+  end
+
+  # Method to install the driver rules into iptables.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def install_rules
+    target = (@policy == :reject) ? 'REJECT' : 'DROP'
+    log = @log_rejected
+    local = @accept_local
+    @r.chain(:new, @allow)
+      .chain(:new, @deny)
+      .rule(:add, chain: 'INPUT', jump: @allow)
+      .rule(:add, chain: 'INPUT', jump: @deny)
+      .rule(:add, chain: @deny, jump: 'LOG') { log }
+      .rule(:add, chain: @deny, jump: target)
+      .rule(:add, chain: @allow, jump: 'ACCEPT',
+                  src: 'localhost') { local }
+      .do
+  end
+
+  # Method to uninstall the driver rules from iptables.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def uninstall_rules
+    @r.rule(:delete, chain: 'INPUT', jump: @allow)
+      .rule(:delete, chain: 'INPUT', jump: @deny)
+      .chain(:flush, @allow)
+      .chain(:delete, @allow)
+      .chain(:flush, @deny)
+      .chain(:delete, @deny)
+      .do
+  end
+
+  # Method to purge all rules from CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def purge_rules
+    @r.chain(:flush, @allow).do
+  end
+
+  # Method to list rules in CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def list_rules
+    @r.chain(:list, @allow).do
+  end
+
+  # Method to check the CATFLAP-ALLOW chain for an allowed IP.
+  # @return [Boolean] true indicates that IP address already has access.
+  def check_address(ip)
+    @r.rule(:check, src: ip, chain: @allow, jump: 'ACCEPT').do?
+  end
+
+  # Method to add/grant an IP access in the CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def add_address(ip)
+    @r.rule(:insert, src: ip, chain: @allow, jump: 'ACCEPT').do
+  end
+
+  # Method to delete/revoke access for an IP in the CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def delete_address(ip)
+    @r.rule(:delete, src: ip, chain: @allow, jump: 'ACCEPT').do
+  end
+end

data/lib/catflap/plugins/firewall/netfilter.rb

@@ -0,0 +1,114 @@
+require 'catflap/plugins/firewall/plugin'
+require 'netfilter/writer'
+include NetfilterWriter
+
+##
+# A firewall plugin driver to implement rules on the NetFilter NAT table.
+#
+# This driver passes rules to the NAT table via the iptables user-space client.
+# Two new chains are installed in the NAT table, named by default:
+# CATFLAP-DENY and CATFLAP-ALLOW. These are installed in the PREROUTING chain.
+# You can configure the driver to install a LOG to log denied packets.
+#
+# This is the default and recommended driver for Linux systems running iptables.
+#
+# @example firewall: plugin: 'netfilter'
+#
+# @author Nyk Cowham <nykcowham@gmail.com>
+class NetfilterDriver < FirewallPlugin
+  # Initialize the driver class.
+  # @param [Hash<String, Hash>] config hash: Catflap::initialize_config()
+  # @param [Boolean] noop send the commands to the firewall client.
+  # @param [Boolean] verbose print the command output to stdout stream.
+  # @return void
+  def initialize(config, noop = false, verbose = false)
+    super
+    @chain = config['firewall']['options']['chain'] || 'CATFLAP'
+    @forward = config['firewall']['options']['forward']
+    @log_rejected = config['firewall']['options']['log_rejected'] || false
+    @accept_local = config['firewall']['options']['accept_local'] || false
+    @allow = @chain + '-ALLOW'
+    @deny = @chain + '-DENY'
+    @r = Rules.new(:nat, @dports)
+    @r.match('multiport')
+    @r.noop = noop
+    @r.verbose = verbose
+  end
+
+  # Method to install the driver rules into iptables.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def install_rules
+    # We must make these local variables, so they are exposed to the blocks.
+    log = @log_rejected
+    deny_local = !@accept_local
+
+    # Create a new chain on the NAT table for our catflap netfilter allow rules.
+    @r.chain(:new, @allow)
+      .chain(:new, @deny)
+      .rule(:add, chain: 'PREROUTING', jump: @allow)
+      .rule(:add, chain: 'PREROUTING', jump: @deny)
+      .rule(:add, chain: @deny, jump: 'LOG') { log }
+      .rule(:add, chain: 'OUTPUT', out: 'lo', jump: @allow) { deny_local }
+      .rule(:add, chain: 'OUTPUT', out: 'lo', jump: @deny) { deny_local }
+
+    @forward.each do |src, dest|
+      src = src.to_s
+      @r.rule(:add, chain: @deny, jump: 'REDIRECT', dports: src, to_port: dest)
+    end
+    @r.do
+  end
+
+  # Method to uninstall the driver rules from iptables.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def uninstall_rules
+    deny_local = !@accept_local
+
+    @r.rule(:delete, chain: 'PREROUTING', jump: @allow)
+      .rule(:delete, chain: 'PREROUTING', jump: @deny)
+      .rule(:delete, chain: 'OUTPUT', out: 'lo',
+                     jump: @allow) { deny_local }
+      .rule(:delete, chain: 'OUTPUT', out: 'lo',
+                     jump: @deny) { deny_local }
+      .chain(:flush, @allow)
+      .chain(:flush, @deny)
+      .chain(:delete, @allow)
+      .chain(:delete, @deny)
+      .do
+  end
+
+  # Method to purge all rules from CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def purge_rules
+    @r.chain(:flush, @allow).do
+  end
+
+  # Method to list rules in CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def list_rules
+    @r.chain(:list, @allow).do
+  end
+
+  # Method to check the CATFLAP-ALLOW chain for an allowed IP.
+  # @return [Boolean] true indicates that IP address already has access.
+  def check_address(ip)
+    @r.rule(:check, src: ip, chain: @allow, jump: 'ACCEPT').do?
+  end
+
+  # Method to add/grant an IP access in the CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def add_address(ip)
+    @r.rule(:insert, src: ip, chain: @allow, jump: 'ACCEPT').do
+  end
+
+  # Method to delete/revoke access for an IP in the CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def delete_address(ip)
+    @r.rule(:delete, src: ip, chain: @allow, jump: 'ACCEPT').do
+  end
+end

data/lib/catflap/plugins/firewall/plugin.rb

@@ -0,0 +1,67 @@
+# Abstract class plugin driver to implement rules on the NetFilter filter table.
+#
+# Firewall drivers should inherit from this abstract class and implement each
+# method. This serves as a contract for firewalls to follow to ensure that the
+# driver can respond to firewall calls.
+#
+# @example firewall: plugin: 'iptables'
+#
+# @author Nyk Cowham <nykcowham@gmail.com>
+class FirewallPlugin
+  attr_reader :dports, :catflap_port
+
+  def initialize(config, noop = false, verbose = false)
+    @noop = noop
+    @verbose = verbose
+    @catflap_port = config['server']['port']
+    @dports = config['firewall']['dports']
+  end
+
+  # Implement method to install the driver rules into iptables.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def install_rules
+    raise NotImplementedError
+  end
+
+  # Implement method to uninstall the driver rules from iptables.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def uninstall_rules
+    raise NotImplementedError
+  end
+
+  # Implement method to purge all rules from CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def purge_rules
+    raise NotImplementedError
+  end
+
+  # Implement method to list rules in CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def list_rules
+    raise NotImplementedError
+  end
+
+  # Implement method to check the CATFLAP-ALLOW chain for an allowed IP.
+  # @return [Boolean] true indicates that IP address already has access.
+  def check_address(_)
+    raise NotImplementedError
+  end
+
+  # Implement method to add/grant an IP access in the CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def add_address(_)
+    raise NotImplementedError
+  end
+
+  # Implement method to delete/revoke access in the CATFLAP-ALLOW chain.
+  # @return void
+  # @raise StandardError when iptables reports an error.
+  def delete_address(_)
+    raise NotImplementedError
+  end
+end

data/lib/catflap/version.rb

@@ -0,0 +1,5 @@
+# This is the version bumper.
+class Catflap
+  # Current version of Catflap gem.
+  VERSION = '1.0.1'
+end

data/lib/netfilter/writer.rb

@@ -0,0 +1,125 @@
+require 'catflap/firewall'
+include Firewall
+
+# Mixin module to add rule handling functions to netfilter-based drivers.
+#
+# @author Nyk Cowham <nykcowham@gmail.com>
+module NetfilterWriter
+  # Class providing a DSL for defining netfilter rules
+  # @author Nyk Cowham <nykcowham@gmail.com>
+  class Rules
+    attr_accessor :noop, :verbose
+
+    def initialize(table, ports = nil)
+      @table = table
+      @ports = ports
+      @buffer = ''
+    end
+
+    def table(table)
+      @table = table
+      self
+    end
+
+    def ports(ports)
+      @ports = ports
+      self
+    end
+
+    def match(match)
+      @match = match
+      self
+    end
+
+    # Create, flush and delete chains
+    # @param [String] cmd the operation to perform (add, delete, flush)
+    # @param [String] chain name of the chain (e.g. INPUT, CATFLAP-DENY, etc.)
+    # @return self
+    def chain(cmd, chain, a = {})
+      cmds = {
+        new: '-N', rename: '-E', delete: '-X', flush: '-F',
+        list_rules: '-S', list: '-L', zero: '-Z', policy: '-P'
+      }
+      table = build_option('-t', @table)
+      numeric = build_option('-n', a[:numeric])
+      rulenum = build_option(true, a[:rulenum])
+      to = build_option(true, a[:to])
+      @buffer << [
+        'iptables', table, numeric, cmds[cmd], chain, rulenum, to
+      ].compact.join(' ') << "\n"
+      self
+    end
+
+    # Create, flush and delete chains
+    # @param [String] cmd the operation to perform (add, delete, insert, etc.)
+    # @param [String] chain name of the chain (e.g. INPUT, CATFLAP-DENY, etc.)
+    # @return self
+    def rule(cmd, a, &block)
+      # Evaluate a block expression and return early if it evaluates to false.
+      # If no block is passed it is equivalent to the block: { true }.
+      return self if block_given? && !instance_eval(&block)
+
+      raise ArgumentError, 'chain is a required argument' unless a[:chain]
+      assert_valid_ipaddr(a[:src]) if a[:src]
+      assert_valid_ipaddr(a[:dst]) if a[:dst]
+
+      # Map of commands for rules
+      cmds = {
+        add: '-A', delete: '-D', insert: '-I', replace: '-R',
+        check: '-C'
+      }
+
+      a[:proto] ||= 'tcp'
+      table = build_option('-t', @table)
+      jump = build_option('-j', a[:jump])
+      goto = build_option('-g', a[:goto])
+      proto = build_option('-p', a[:proto])
+      inface = build_option('-i', a[:in])
+      outface = build_option('-o', a[:out])
+      src = build_option('-s', a[:src])
+      dst = build_option('-d', a[:dst])
+      match = build_option('-m', a[:match] || @match)
+      ports = build_option('--dport', @ports)
+      to_port = build_option('--to-port', a[:to_port])
+      @buffer << [
+        'iptables', table, cmds[cmd], a[:chain], src, dst, outface,
+        inface, proto, match, ports, jump || goto, to_port
+      ].compact.join(' ') << "\n"
+      self
+    end
+  end
+
+  def build_option(flag, value)
+    return flag if value.is_a?(TrueClass)
+    return value if flag.is_a?(TrueClass)
+    return flag << ' ' << value.to_s if flag && value
+  end
+
+  # Add a raw text rule, (e.g.: iptables -t nat CATFLAP-ALLOW ...)
+  # @param [String] raw_rule custom raw iptables command.
+  # @return self
+  def raw(raw_rule)
+    @buffer = raw_rule
+    self
+  end
+
+  # Flush the rule buffer and output the resulting iptables commands.
+  # @return [String] rule text that can be sent iptables user-space client.
+  def flush
+    out = @buffer
+    @buffer = ''
+    out
+  end
+
+  # Flush the rule and execute in iptables user-space client.
+  # @return void
+  def do
+    execute flush
+  end
+
+  # Flush the rule and execute commands and return success/fail value.
+  # @return [Boolean] true if the execution was successful.
+  def do?
+    execute_true? flush
+  end
+end

data/ui/css/catflap.css

@@ -0,0 +1,44 @@
+
+.centered {
+  margin: 0px auto;
+  display: block;
+}
+
+.hidden {
+  display: none;
+}
+
+input[type="text"]:focus.failed {
+  background-color: pink;
+  border-color: red;
+  color: black;
+}
+
+input[type="text"] {
+  display: block;
+  margin: 0px auto;
+  margin-top: 1em;
+  padding-left: 0.4em;
+  height: 1.7em;
+  width: 50%;
+  color: #999;
+  font-family: sans-serif;
+  font-size: 2.2em;
+  border: solid 2px #dcdcdc;
+  transition: box-shadow 0.3s, border 0.3s;
+  box-shadow: inset 1px 1px 2px 0 #707070;
+  appearance: none;
+  border-radius: 2px;
+}
+
+input[type="text"]:focus {
+  border: solid 2px #707070;
+  box-shadow: inset 1px 1px 2px 0 #c9c9c9;
+}
+
+.message {
+  width: 50%;
+  font-size: 2em;
+  margin-top: 1.5em;
+  color: #860000;
+}