dust-deploy 0.1.8 → 0.2.0

data/changelog.md

@@ -1,7 +1,27 @@
 Changelog
 =============
 
-9.1.8
+0.2.0
+------------
+
+heavily refactors iptables recipe. you HAVE to adapt your iptables settings. new usage:
+
+recipe:
+  iptables:
+    input:
+    - input:
+      ssh: { dport: 22, match: state, state: NEW }
+    - output:
+      drop: { jump: DROP }
+
+every iptables long option is allowed, it tries to automatically detect whether to use iptables, ip6tables or both.
+known issues: --to-destination is not checked for ipv4/ipv6, because it might include port numbers.
+default jump target ist ACCEPT
+
+basic rules are added automatically, see iptables.rb for more information.
+
+
+0.1.8
 ------------
 
 adds recipe for making sure packages are _uninstalled_

data/dust.gemspec

@@ -25,4 +25,5 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'net-scp'
   s.add_runtime_dependency 'net-sftp'
   s.add_runtime_dependency 'thor'
+  s.add_runtime_dependency 'ipaddress'
 end

data/lib/dust/recipes/iptables.rb

@@ -1,3 +1,5 @@
+require 'ipaddress'
+
 class Iptables < Thor
   desc 'iptables:deploy', 'configures iptables firewall'
   def deploy node, rules, options
@@ -15,226 +17,114 @@ class Iptables < Thor
       return 
     end
 
-    # configure attributes (using empty arrays as default)
-    rules['ports'] ||= []
-    rules['ipv4-custom-input-rules'] ||= []
-    rules['ipv6-custom-input-rules'] ||= []
-    rules['ipv4-custom-output-rules'] ||= []
-    rules['ipv6-custom-output-rules'] ||= []
-    rules['ipv4-custom-forward-rules'] ||= []
-    rules['ipv6-custom-forward-rules'] ||= []
-    rules['ipv4-custom-prerouting-rules'] ||= []
-    rules['ipv6-custom-prerouting-rules'] ||= []
-    rules['ipv4-custom-postrouting-rules'] ||= []
-    rules['ipv6-custom-postrouting-rules'] ||= []
-
-    # convert ports: int to array if its just a single int so .each won't get hickups
-    rules['ports'] = [ rules['ports'] ] if rules['ports'].class == Fixnum
 
     [ 'iptables', 'ip6tables' ].each do |iptables|
-      ipv4 = iptables == 'iptables'
-      ipv6 = iptables == 'ip6tables'
+      if iptables == 'iptables'
+        ipv = 4
+        ipv4 = true
+        ipv6 = false
+      elsif iptables == 'ip6tables'
+        ipv = 6
+        ipv4 = false
+        ipv6 = true
+      end
 
       ::Dust.print_msg "configuring and deploying ipv4 rules\n" if ipv4
       ::Dust.print_msg "configuring and deploying ipv6 rules\n" if ipv6
 
-      rule_file = '' 
+      iptables_script = '' 
 
       # default policy for chains
       if node.uses_apt? true or node.uses_emerge? true
-        rule_file += "-P INPUT DROP\n" +
+        iptables_script += "-P INPUT DROP\n" +
                      "-P OUTPUT DROP\n" +
                      "-P FORWARD DROP\n" +
                      "-F\n"
-        rule_file += "-F -t nat\n" if ipv4
-        rule_file += "-X\n"
+        iptables_script += "-F -t nat\n" if ipv4
+        iptables_script += "-X\n"
 
       elsif node.uses_rpm? true
-        rule_file += "*filter\n" +
+        iptables_script += "*filter\n" +
                      ":INPUT DROP [0:0]\n" +
                      ":FORWARD DROP [0:0]\n" +
                      ":OUTPUT DROP [0:0]\n"
       end
 
       # allow localhost
-      rule_file += "-A INPUT -i lo -j ACCEPT\n"
+      iptables_script += "-A INPUT -i lo -j ACCEPT\n"
 
       # drop invalid packets
-      rule_file += "-A INPUT -m state --state INVALID -j DROP\n"
+      iptables_script += "-A INPUT -m state --state INVALID -j DROP\n"
 
       # allow related packets
-      rule_file += "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+      iptables_script += "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
 
       # drop tcp packets with the syn bit set if the tcp connection is already established
-      rule_file += "-A INPUT -p tcp --tcp-flags SYN SYN -m state --state ESTABLISHED -j DROP\n" # if ipv4
+      iptables_script += "-A INPUT -p tcp --tcp-flags SYN SYN -m state --state ESTABLISHED -j DROP\n" # if ipv4
 
       # drop icmp timestamps
-      rule_file += "-A INPUT -p icmp --icmp-type timestamp-request -j DROP\n" if ipv4
-      rule_file += "-A INPUT -p icmp --icmp-type timestamp-reply -j DROP\n" if ipv4
+      iptables_script += "-A INPUT -p icmp --icmp-type timestamp-request -j DROP\n" if ipv4
+      iptables_script += "-A INPUT -p icmp --icmp-type timestamp-reply -j DROP\n" if ipv4
 
       # allow other icmp packets
-      rule_file += "-A INPUT -p icmpv6 -j ACCEPT\n" if ipv6
-      rule_file += "-A INPUT -p icmp -j ACCEPT\n"
-
-      # open ports
-      rules['ports'].each do |rule|
-        # if config is something like
-        #   ports: 22
-        # or 
-        #   ports: [ 22, 443, 1000:2000 ]
-        # generate a new hash, and set rule['port']
-        unless rule.class == Hash
-          port = rule
-          rule = {}
-          rule['port'] = port
-        end
+      iptables_script += "-A INPUT -p icmpv6 -j ACCEPT\n" if ipv6
+      iptables_script += "-A INPUT -p icmp -j ACCEPT\n"
 
-        # skip rule for other ipversion than specified
-        rule['ip-version'] ||= 0 # default to 0, means both protocols
-        next if rule['ip-version'].to_i == 4 and ipv6
-        next if rule['ip-version'].to_i == 6 and ipv4
 
-        # convert to string if port is a int
-        rule['port'] = rule['port'].to_s if rule['port'].class == Fixnum
+      # drop invalid outgoing packets
+      iptables_script += "-A OUTPUT -m state --state INVALID -j DROP\n"
 
-        # skip this port if no portnumber is specified
-        unless rule['port']
-          ::Dust.print_failed "no port specified: #{rule.inspect}", 2
-          next
-        end
+      # allow related outgoing packets
+      iptables_script += "-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
 
-        # tcp is the default protocol
-        rule['protocol'] ||= 'tcp'
+      # map rules to iptables strings
+      rules.each do |chain, chain_rules|
+        ::Dust.print_msg "#{::Dust.pink}#{chain.upcase}#{::Dust.none}\n", 2
+        chain_rules.each do |name, rule|
+          # set default variables
+          rule['jump'] ||= ['ACCEPT']
 
-        # apply one rule for each port(range)
-        rule['port'].each do |port| 
-          ::Dust.print_msg "allowing port #{port}:#{rule['protocol']}", 2
-          rule_file += "-A INPUT -p #{rule['protocol']} --dport #{port} "
-          if rule['interface']
-            print " [dev: #{rule['interface']}]"
-            rule_file += "-i #{rule['interface']} " 
-          end
-          if rule['source']
-            print " [source: #{rule['source']}]"
-            rule_file += "--source #{rule['source']} "
-          end
-          rule_file += "-m state --state NEW "
-          rule_file += "-j ACCEPT\n"
-          ::Dust.print_ok
-        end
-      end
+          # if we want to use ports, we're going to need a protocol. defaulting to tcp
+          rule['protocol'] ||= ['tcp'] if rule['dport'] or rule['sport']
 
-      # add custom ipv4 iput rules
-      rules['ipv4-custom-input-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv4 input rule: #{rule}", 2
-        rule_file += "-A INPUT #{rule}\n"
-        ::Dust.print_ok
-      end if ipv4
-
-      # add custom ipv6 iput rules
-      rules['ipv6-custom-input-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv6 input rule: #{rule}", 2
-        rule_file += "-A INPUT #{rule}\n"
-        ::Dust.print_ok
-      end if ipv6
-
-      # deny the rest
-      rule_file += "-A INPUT -p tcp -j REJECT --reject-with tcp-reset\n"
-      rule_file += "-A INPUT -j REJECT --reject-with icmp-port-unreachable\n" if ipv4
-
-      # add custom ipv4 prerouting rules
-      rules['ipv4-custom-prerouting-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv4 prerouting rule: #{rule}", 2
-        rule_file += "-A PREROUTING #{rule}\n"
-        ::Dust.print_ok
-      end if ipv4
-
-      # add custom ipv6 prerouting rules
-      rules['ipv6-custom-prerouting-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv6 prerouting rule: #{rule}", 2
-        rule_file += "-A PREROUTING #{rule}\n"
-        ::Dust.print_ok
-      end if ipv6
-
-      # add custom ipv4 postrouting rules
-      rules['ipv4-custom-postrouting-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv4 postrouting rule: #{rule}", 2
-        rule_file += "-A POSTROUTING #{rule}\n"
-        ::Dust.print_ok
-      end if ipv4
-
-      # add custom ipv6 postrouting rules
-      rules['ipv6-custom-postrouting-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv6 postrouting rule: #{rule}", 2
-        rule_file += "-A POSTROUTING #{rule}\n"
-        ::Dust.print_ok
-      end if ipv6
+          # convert non-array variables to array, so we won't get hickups when using .each and .combine
+          rule.each { |k, v| rule[k] = [ rule[k] ] if rule[k].class != Array }
 
+          next unless check_ipversion rule, ipv
 
-      # drop invalid outgoing packets
-      rule_file += "-A OUTPUT -m state --state INVALID -j DROP\n"
+          parse_rule(rule).each do |r|
+            # TODO: parse nicer output
+            ::Dust.print_msg "#{name}:#{::Dust.grey 0} '#{r.join ' ' }'#{::Dust.none}\n", 3
+            iptables_script += "-A #{chain.upcase} #{r.join ' '}\n"
+          end
+        end
+      end
 
-      # allow related outgoing packets
-      rule_file += "-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
-
-      # add custom ipv4 output rules
-      rules['ipv4-custom-output-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv4 outgoing rule: #{rule}", 2
-        rule_file += "-A OUTPUT #{rule}\n"
-        ::Dust.print_ok
-      end if ipv4
-
-      # add custom ipv6 output rules
-      rules['ipv6-custom-output-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv6 outgoing rule: #{rule}", 2
-        rule_file += "-A OUTPUT #{rule}\n"
-        ::Dust.print_ok
-      end if ipv6
+      # deny the rest incoming
+      iptables_script += "-A INPUT -p tcp -j REJECT --reject-with tcp-reset\n"
+      iptables_script += "-A INPUT -j REJECT --reject-with icmp-port-unreachable\n" if ipv4
 
       # allow everything out
-      rule_file += "-A OUTPUT -j ACCEPT\n"
-
-
-      # enable packet forwarding
-      if rules['forward']
-        ::Dust.print_msg 'enabling ipv4 forwarding', 2
-        rule_file += "-A FORWARD -m state --state INVALID -j DROP\n"
-        rule_file += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
-        rule_file += "-A FORWARD -j ACCEPT\n"
-        ::Dust.print_ok
-      end if ipv4
-
-      # add custom ipv4 forward rules
-      rules['ipv4-custom-forward-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv4 forward rule: #{rule}", 2
-        rule_file += "-A FORWARD #{rule}\n"
-        ::Dust.print_ok
-      end if ipv4
-
-      # add custom ipv6 forward rules
-      rules['ipv6-custom-forward-rules'].each do |rule|
-        ::Dust.print_msg "adding custom ipv6 forward rule: #{rule}", 2
-        rule_file += "-A FORWARD #{rule}\n"
-        ::Dust.print_ok
-      end if ipv6
-
-      rule_file += "COMMIT\n" if node.uses_rpm? true
+      iptables_script += "-A OUTPUT -j ACCEPT\n"
+
+      # put commit statement for rpm machines
+      iptables_script += "COMMIT\n" if node.uses_rpm? true
 
       # prepend iptables command on non-centos-like machines
-      rule_file = rule_file.map { |s| "#{iptables} #{s}" }.to_s if node.uses_apt? true or node.uses_emerge? true
+      iptables_script = iptables_script.map { |s| "#{iptables} #{s}" }.to_s if node.uses_apt? true or node.uses_emerge? true
 
       # set header
       header  = ''
       header  = "#!/bin/sh\n" if node.uses_apt? true or node.uses_emerge? true
       header += "# automatically generated by dust\n\n"
-      rule_file = header + rule_file
+      iptables_script = header + iptables_script
 
       # set the target file depending on distribution
       target = "/etc/network/if-pre-up.d/#{iptables}" if node.uses_apt? true
       target = "/etc/#{iptables}" if node.uses_emerge? true
       target = "/etc/sysconfig/#{iptables}" if node.uses_rpm? true
 
-      node.write target, rule_file, true
+      node.write target, iptables_script, true
 
       node.chmod '700', target if node.uses_apt? true or node.uses_emerge? true
       node.chmod '600', target if node.uses_rpm? true
@@ -263,5 +153,46 @@ class Iptables < Thor
       puts
     end
   end
+
+
+  private 
+
+  # check if source and destination ip (if given)
+  # are valid ips for this ip version
+  def check_ipversion rule, ipv
+    ['source', 'destination', 'to-source'].each do |attr|
+      if rule[attr]
+        rule[attr].each do |addr|
+          return false unless IPAddress(addr).send "ipv#{ipv}?"
+        end
+      end
+      # return false if this ip version was manually disabled
+      return false unless rule['ip-version'].include? ipv if rule['ip-version']
+    end
+    true
+  end
+
+  # map iptables options
+  def parse_rule r
+    with_dashes = {}
+    result = []
+
+    r.each do |k, v|
+      # skip ip-version, since its not iptables option
+      with_dashes[k] = r[k].map { |value| "--#{k} #{value}" } unless k == 'ip-version'
+    end
+    with_dashes.values.each { |a| result = result.combine a }
+
+    # make sure the options are sorted in a way that works.
+    # protocol and match first, jump last
+    sorted = []
+    result.each do |r|
+      r = r.sort_by { |x| if x.include? '--match' then -1 else 1 end }
+      r = r.sort_by { |x| if x.include? '--protocol' then -1 else 1 end }
+      sorted.push(r.sort_by { |x| if x.include? '--jump' then 1 else -1 end })
+    end
+
+    sorted
+  end
 end
 

data/lib/dust/version.rb

@@ -1,3 +1,3 @@
 module Dust
-  VERSION = "0.1.8"
+  VERSION = "0.2.0"
 end

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 1
-  - 8
-  version: 0.1.8
+  - 2
+  - 0
+  version: 0.2.0
 platform: ruby
 authors: 
 - kris kechagia
@@ -65,6 +65,18 @@ dependencies:
         version: "0"
   type: :runtime
   version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: ipaddress
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id005
 description: when puppet and chef suck because you want to be in control and sprinkle just cannot do enough for you
 email: 
 - kk@rndsec.net