catflap 0.0.1.pre

data/bin/catflap

@@ -0,0 +1,70 @@
+#!/usr/bin/env ruby
+
+require 'optparse'
+require 'catflap'
+
+options = {}
+optparse = OptionParser.new do|opts|
+  opts.separator ""
+  opts.separator "Install/Configure/Service options:"
+  opts.on('-i', '--install', 'Install and initialize the catflap chain') do
+    options['install'] = true
+  end
+  opts.on('-u', '--uninstall', 'Uninstall catflap from iptables') do
+    options['uninstall'] = true
+  end
+  opts.on('-f', '--config-file <filepath>', String, 'Use config file to override default values') do |filepath|
+    options['config_file'] = true
+  end
+  opts.on('-s', '--start-server', 'Start the web api server daemon') do
+    options['start_server'] = true
+  end
+  opts.separator ""
+  opts.separator "Access rule control options:"
+  opts.on('-c', '--check <ipaddr>', String, 'Check if an IP address has access alreqdy') do |ip|
+    options['check'] = ip
+  end
+  opts.on('-a', '--add <ipaddr>', String, 'IP address to which access should be granted') do |ip|
+    options['add'] = ip
+  end
+  opts.on('-d', '--delete <ipaddr>', String, 'IP address or range to remove access previously granted') do |ip|
+    options['del'] = ip
+  end
+  opts.on('-F', '--file <filepath>', String, 'Input file of whitelisted IP addresses') do |filepath|
+    options['filepath'] = filepath
+  end
+  opts.on('-x', '--purge', 'Purge all catflap rules from iptables') do
+    options['purge'] = true
+  end
+  opts.on('-l', '--list', 'List catflap access rules') do
+    options['list'] = true
+  end
+  opts.separator ""
+  opts.separator "Output and process options:"
+  opts.on('-n', '--noop', 'Do not run the operation on iptables - no operation') do
+    cf.noop = true
+  end
+  opts.on('-p', '--print', 'Print the iptables generated to screen') do
+    cf.print = true
+  end
+  opts.on('-h', '--help', 'Print this help page.') do 
+    puts opts
+    exit 0
+  end
+end.parse! ARGV
+
+unless options['start_server']
+  cf = Catflap.new(options['config_file'])
+  cf.purge_rules! if options['purge']
+  cf.install_rules! if options['install']
+  cf.uninstall_rules! if options['uninstall']
+  cf.add_address!(options['add']) if options['add']
+  cf.delete_address!(options['del']) if options['del']
+  cf.add_addresses_from_file!(options['filepath']) if options['filepath']
+  cf.check_address(options['check']) if options['check']
+  cf.list_rules if options['list']
+else
+  require 'catflap-http'
+  CatflapWebserver::start_server(options['config_file'])
+end
+

data/lib/catflap-http.rb

@@ -0,0 +1,108 @@
+#!/usr/bin/env ruby
+
+require 'catflap'
+require 'webrick'
+include WEBrick
+
+module CatflapWebserver
+
+  def self.generate_server(port)
+    config = {:Port => port}
+    server = HTTPServer.new(config)
+    yield server if block_given?
+    ['INT', 'TERM'].each {|signal| 
+      trap(signal) {server.shutdown}
+    }
+    server.start
+  end
+
+  def self.start_server(port = 4777)
+    generate_server(port) do |server|
+      server.mount('/', Servlet)
+    end
+  end
+
+  class Servlet < HTTPServlet::AbstractServlet
+    def do_GET(req,resp)
+      # Split the path into piece
+      path = req.path[1..-1].split('/')
+      raise HTTPStatus::OK if path[0] == 'favicon.ico'
+      response_class = CatflapRestService.const_get("Service")
+       
+      if response_class and response_class.is_a?(Class)
+        # There was a method given
+        if path[0]
+          response_method = path[0].to_sym
+          # Make sure the method exists in the class
+          raise HTTPStatus::NotFound if !response_class.respond_to?(response_method)
+
+          if path[0] == "enter"
+            url = response_class.send(response_method, req, resp)
+            resp.set_redirect(HTTPStatus::Redirect, url)
+          end
+
+          # Remaining path segments get passed in as arguments to the method
+          if path.length > 1
+            resp.body = response_class.send(response_method, req, resp, path[1..-1])
+          else
+            resp.body = response_class.send(response_method, req, resp)
+          end
+          raise HTTPStatus::OK
+
+        # No method was given, so check for an "index" method instead
+        else
+          raise HTTPStatus::NotFound if !response_class.respond_to?(:index)
+          resp.body = response_class.send(:index)
+          raise HTTPStatus::OK
+        end
+      else
+        raise HTTPStatus::NotFound
+      end
+    end
+  end
+end
+
+module CatflapRestService
+  class Service
+
+    @@cf = Catflap.new
+    @@cf.dports = '80,8080,443'
+
+    def self.index()
+      return "hello world"
+    end
+ 
+    def self.enter(req, resp)
+      ip = req.peeraddr.pop
+      host = req.addr[2]
+      @@cf.add_address!(ip) unless @@cf.check_address(ip)
+      return "http://" << host << ":80"
+    end
+
+    def self.add(req, resp, args)
+      ip = args[0]
+      unless @@cf.check_address(ip)
+        @@cf.add_address!(ip)
+        return "#{ip} has been granted access"
+      else
+        return "#{ip} already has access"
+      end
+    end
+
+    def self.remove(req, resp, args)
+      ip = args[0]
+      @@cf.delete_address!(ip)
+      return "Access granted to #{ip} has been removed"
+    end
+
+    def self.check(req, resp, args)
+      ip = args[0]
+      
+      if @@cf.check_address(ip)
+        return "#{ip} has access to ports: #{@@cf.dports}"
+      else
+        return "#{ip} does not have access to ports: #{@@cf.dports}"
+      end
+    end
+  end
+end

data/lib/catflap.rb

@@ -0,0 +1,75 @@
+require 'yaml'
+
+class Catflap
+
+  attr_accessor :chain, :dports, :print, :noop, :log_rejected
+
+  def initialize(config_file = nil)
+    @config = YAML.load_file(config_file) if config_file and File.exists?(config_file)
+    @chain = (@config['rules']['chain']) ? @config['rules']['chain'] : "catflap-accept"
+    @dports = (@config['rules']['dports']) ? @config['rules']['dports'] : "80,443"
+    @print = false
+    @noop = false
+    @log_rejected = true
+  end
+
+  def install_rules!
+    output  = "iptables -N #{@chain}\n" # Create a new user-defined chain as a container for our catflap netfilter rules
+    output << "iptables -A #{@chain} -s 127.0.0.1 -p tcp -m multiport --dports #{@dports} -j ACCEPT\n" # Accept packets to localhost
+    output << "iptables -A INPUT -p tcp -m multiport --dports #{@dports} -j #{@chain}\n" # Jump from INPUT chain to the catflap chain
+    output << "iptables -A INPUT -p tcp -m multiport --dports #{@dports} -j LOG\n" if @log_rejected # Log any rejected packets to /var/log/messages
+    output << "iptables -A INPUT -p tcp -m multiport --dports #{@dports} -j DROP\n" # Drop any other packets to the ports on the INPUT chain
+    execute!(output)
+  end
+
+  def uninstall_rules!
+    output  = "iptables -D INPUT -p tcp -m multiport --dports #{@dports} -j #{@chain}\n" # Remove user-defined chain from INPUT chain
+    output << "iptables -F #{@chain}\n" # Flush the catflap user-defined chain
+    output << "iptables -X #{@chain}\n" # Remove the catflap chain
+    output << "iptables -D INPUT -p tcp -m multiport --dports #{@dports} -j LOG\n" # Remove the logging rule
+    output << "iptables -D INPUT -p tcp -m multiport --dports #{@dports} -j DROP\n" # Remove the packet dropping rule
+    execute!(output)
+  end
+
+  def purge_rules!
+    output = "iptables -F #{@chain}"
+    execute!(output)
+  end
+
+  def list_rules
+    system "iptables -S #{@chain}"
+  end
+
+  def check_address(ip)
+    return system "iptables -C #{@chain} -s #{ip} -p tcp -m multiport --dports #{@dports} -j ACCEPT\n"
+  end
+
+  def add_address!(ip)
+    output = "iptables -I #{@chain} 1 -s #{ip} -p tcp -m multiport --dports #{@dports} -j ACCEPT\n"
+    execute!(output)
+  end
+
+  def delete_address!(ip)
+    output = "iptables -D #{@chain} -s #{ip} -p tcp -m multiport --dports #{@dports} -j ACCEPT\n"
+    execute!(output)
+  end 
+
+  def add_addresses_from_file!(filepath)
+    if File.readable?(filepath)
+      output = ""
+      File.open(filepath, "r").each_line do |ip|
+        output << "iptables -I #{@chain} 1 -s #{ip.chomp} -p tcp -m multiport --dports #{@dports} -j ACCEPT\n"
+      end
+      execute!(output)
+    else
+      puts "The file #{filepath} is not readable!"
+      exit 1
+    end
+  end
+
+  def execute!(output)
+    if @print then puts output end
+    system output unless @noop
+  end 
+
+end

metadata

@@ -0,0 +1,52 @@
+--- !ruby/object:Gem::Specification
+name: catflap
+version: !ruby/object:Gem::Version
+  version: 0.0.1.pre
+  prerelease: 6
+platform: ruby
+authors:
+- Nyk Cowham
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-12-01 00:00:00.000000000 Z
+dependencies: []
+description: A simple solution for service access (e.g. port 80 on webserver) where
+  a more robust and secure VPN solution is not available
+email: nyk@demotix.com
+executables:
+- catflap
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/catflap.rb
+- lib/catflap-http.rb
+- bin/catflap
+homepage: http://rubygems.org/gems/catflap
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements:
+- NetFilters (iptables) installed and working
+rubyforge_project: 
+rubygems_version: 1.8.11
+signing_key: 
+specification_version: 3
+summary: Manage NetFilter-based rules to grant port access on demand via commandline
+  or REST API requests
+test_files: []