ip-wrangler 0.1.0

data/bin/ip-wrangler-stop

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+name = 'ip-wrangler'
+gem = Gem::Specification.find_by_name(name)
+command = File.join(gem.full_gem_path, 'bin/ip-wrangler-stop.sh')
+system(command, *ARGV)

data/bin/ip-wrangler-stop.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+export __dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+export __dir=$( dirname ${__dir} )
+
+function usage() {
+    echo "Usage: $(basename $0) -P <pid_file|maybe:ip-wrangler.pid> -h (help and exit)"
+}
+
+while getopts 'P:h' __flag; do
+  case "${__flag}" in
+    P)
+        export __pid_file="$(realpath ${OPTARG})"
+        ;;
+    h)
+        usage
+        exit 0
+        ;;
+    *)
+        error "Unexpected option: ${__flag}"
+        usage
+        exit 1
+        ;;
+  esac
+done
+
+if [ -z "${__pid_file}" ]
+then
+    echo "No PID file defined."
+    usage
+    exit 1
+fi
+
+pushd ${__dir}/lib/ 2>&1 >> /dev/null
+    thin -P ${__pid_file} stop
+popd 2>&1 >> /dev/null

data/bin/ip-wrangler-test

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+name = 'ip-wrangler'
+gem = Gem::Specification.find_by_name(name)
+command = File.join(gem.full_gem_path, 'bin/ip-wrangler-test.sh')
+system(command, *ARGV)

data/bin/ip-wrangler-test.sh

@@ -0,0 +1,166 @@
+#!/bin/bash
+
+#set -x
+
+export __IP="127.0.0.1"
+export __PORT=8400
+
+export __USER=username
+export __PASS=password
+
+if (( "$#" >= "1" )); then
+    export __IP=$1
+fi
+
+if (( "$#" >= "2" )); then
+    export __PORT=$2
+fi
+
+if (( "$#" >= "3" )); then
+    export __USER=$3
+fi
+
+if (( "$#" >= "4" )); then
+    export __PASS=$4
+fi
+
+echo "${__IP} ${__PORT} ${__USER} ${__PASS}"
+
+read
+
+for __ip in `seq 1 3`; do
+    for __port in `seq 1000 1010`; do
+        curl -u ${__USER}:${__PASS} -X POST --data "" http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}/${__ip}${__port}/tcp
+        echo ""
+        curl -u ${__USER}:${__PASS} -X POST --data "" http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}/${__ip}${__port}/udp
+        echo ""
+    done
+done
+
+read
+
+for __ip in `seq 1 3`; do
+    for __port in `seq 1005 1015`; do
+        curl -u ${__USER}:${__PASS} -X POST --data "" http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}/${__ip}${__port}
+        echo ""
+    done
+done
+
+read
+
+for __ip in `seq 1 3`; do
+    curl -u ${__USER}:${__PASS} -X POST --data "" http://${__IP}:${__PORT}/nat/ip/127.0.1.${__ip}
+    echo ""
+done
+
+read
+
+curl -u ${__USER}:${__PASS} http://${__IP}:${__PORT}/nat/port
+echo ""
+
+for __ip in `seq 1 3`; do
+    curl -u ${__USER}:${__PASS} http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}
+    echo ""
+done
+
+curl -u ${__USER}:${__PASS} http://${__IP}:${__PORT}/nat/ip
+echo ""
+
+read
+
+for __ip in `seq 1 3`; do
+    for __port in `seq 1000 1010`; do
+        curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}/${__ip}${__port}/tcp
+        echo ""
+        curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}/${__ip}${__port}/udp
+        echo ""
+    done
+done
+
+read
+
+for __ip in `seq 1 3`; do
+    for __port in `seq 1005 1015`; do
+        curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}/${__ip}${__port}
+        echo ""
+    done
+done
+
+read
+
+for __ip in `seq 1 3`; do
+    curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}
+    echo ""
+done
+
+for __id in `seq 1 2`; do
+    curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/nat/ip/127.0.1.${__id}
+    echo ""
+done
+
+read
+
+curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/nat/ip/127.0.1.3
+echo ""
+
+read
+
+curl -u ${__USER}:${__PASS} http://${__IP}:${__PORT}/
+echo ""
+
+read
+
+for __ip in `seq 1 3`; do
+    for __port in `seq 1000 1010`; do
+        curl -u ${__USER}:${__PASS} -X POST --data "[{\"port\": ${__ip}${__port}, \"proto\": \"tcp\"}]" http://${__IP}:${__PORT}/dnat/127.0.0.${__ip}
+        echo ""
+        curl -u ${__USER}:${__PASS} -X POST --data "[{\"port\": ${__ip}${__port}, \"proto\": \"udp\"}]" http://${__IP}:${__PORT}/dnat/127.0.0.${__ip}
+        echo ""
+    done
+done
+
+read
+
+for __ip in `seq 1 3`; do
+    for __port in `seq 1005 1015`; do
+        curl -u ${__USER}:${__PASS} -X POST --data "[{\"port\": ${__ip}${__port}, \"proto\": \"tcp\"}, {\"port\": ${__ip}${__port}, \"proto\": \"udp\"}]" http://${__IP}:${__PORT}/dnat/127.0.0.${__ip}
+        echo ""
+    done
+done
+
+read
+
+curl -u ${__USER}:${__PASS} http://${__IP}:${__PORT}/dnat
+echo ""
+
+for __ip in `seq 1 3`; do
+    curl -u ${__USER}:${__PASS} http://${__IP}:${__PORT}/dnat/127.0.0.${__ip}
+    echo ""
+done
+
+read
+
+for __ip in `seq 1 3`; do
+    for __port in `seq 1000 1010`; do
+        curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/dnat/127.0.0.${__ip}/${__ip}${__port}/tcp
+        echo ""
+        curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/dnat/127.0.0.${__ip}/${__ip}${__port}/udp
+        echo ""
+    done
+done
+
+read
+
+for __ip in `seq 1 3`; do
+    for __port in `seq 1005 1015`; do
+        curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/dnat/127.0.0.${__ip}/${__ip}${__port}
+        echo ""
+    done
+done
+
+read
+
+for __ip in `seq 1 3`; do
+    curl -u ${__USER}:${__PASS} -X DELETE --data "" http://${__IP}:${__PORT}/nat/port/127.0.0.${__ip}
+    echo ""
+done

data/ip-wrangler.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'ip_wrangler/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'ip-wrangler'
+  spec.version       = IpWrangler::VERSION
+  spec.authors       = ['Paweł Suder', 'Jan Meizner', 'Bartosz Wilk']
+  spec.email         = ['pawel@suder.info', 'j.meizner@cyfronet.pl', 'b.wilk@cyfronet.pl']
+  spec.description   = %q{Iptables DNAT manager}
+  spec.summary       = %q{Service is responsible for managing DNAT rules in iptables nat table}
+  spec.homepage      = 'https://github.com/dice-cyfronet/ip-wrangler'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'sinatra', '~> 1.4'
+  spec.add_dependency 'thin', '~> 1.6'
+
+  spec.add_dependency 'sequel', '~> 4.19'
+  spec.add_dependency 'sqlite3', '~> 1.3'
+
+  spec.add_dependency 'json', '~> 1.8'
+
+  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'rake', '~> 10.4'
+end

data/lib/config.ru

@@ -0,0 +1,127 @@
+require 'bundler'
+require 'eventmachine'
+require 'fileutils'
+require 'json'
+require 'logger'
+require 'rubygems'
+require 'sequel'
+require 'sinatra'
+require 'thin'
+require 'yaml'
+
+require './ip_wrangler/db'
+require './ip_wrangler/ip'
+require './ip_wrangler/iptables'
+require './ip_wrangler/nat'
+require './ip_wrangler/exec'
+
+unless ENV.has_key?('__config_file')
+  puts 'No config file. Exiting.'
+  exit(1)
+end
+
+config_file = ENV['__config_file']
+
+unless File.file?(config_file)
+  puts "#{config_file} not found. Exiting."
+  exit(2)
+end
+
+config = YAML.load_file(config_file)
+
+unless ENV.has_key?('__no_log')
+  console_logger = File.new("#{config['log_dir']}/thin_output.log", 'a')
+
+  STDOUT.reopen(console_logger)
+  STDERR.reopen(console_logger)
+end
+
+puts "Checking if #{config['db_path']} is existing..."
+
+unless File.file?(config['db_path'])
+  puts "Create #{config['db_path']}"
+  FileUtils.touch(config['db_path'])
+end
+
+puts 'Checking database...'
+
+db = Sequel.connect("sqlite://#{config['db_path']}")
+
+unless db.table_exists?(:nat_ports)
+  puts 'No nat_ports table. Creating it...'
+
+  db.create_table?(:nat_ports) do
+    primary_key :id
+    String :public_ip
+    Int :public_port
+    String :private_ip
+    Int :private_port
+    String :protocol
+  end
+
+  db.add_index(:nat_ports, [:public_ip, :public_port])
+
+  %w(tcp udp).each do |protocol|
+    ports = (config['port_start']..config['port_stop']).map { |port| [config['port_ip'], port, nil, nil, protocol] }.to_a
+    db[:nat_ports].import([:public_ip, :public_port, :private_ip, :private_port, :protocol], ports)
+  end
+
+end
+
+unless db.table_exists?(:nat_ips)
+  puts 'No nat_ips table. Creating it...'
+
+  db.create_table?(:nat_ips) do
+    primary_key :id
+    String :public_ip
+    String :private_ip
+  end
+
+  db.add_index(:nat_ips, :public_ip)
+
+  if config['ip'] != nil
+    config['ip'].each do |public_ip|
+      db[:nat_ips].insert(public_ip: public_ip, private_ip: nil)
+      puts "Add ip:#{public_ip}"
+    end
+  end
+end
+
+db.disconnect
+
+puts "Creating chain #{config['iptables_chain_name']}_PRE in nat table..."
+command_new_pre_nat_chain = IpWrangler::Command.new_chain("#{config['iptables_chain_name']}_PRE", 'nat')
+IpWrangler::Exec.execute_iptables_command(command_new_pre_nat_chain)
+
+puts "Creating chain #{config['iptables_chain_name']}_POST in nat table..."
+command_new_post_nat_chain = IpWrangler::Command.new_chain("#{config['iptables_chain_name']}_POST", 'nat')
+IpWrangler::Exec.execute_iptables_command(command_new_post_nat_chain)
+
+puts 'Appending rule, if not exists, to PREROUTING chain...'
+command_check_pre_nat_jump_rule = IpWrangler::Command.check_rule('PREROUTING', 'nat', [IpWrangler::Parameter.jump("#{config['iptables_chain_name']}_PRE")])
+IpWrangler::Exec.execute_iptables_command(command_check_pre_nat_jump_rule)
+if $?.exitstatus == 1
+  command_append_pre_nat_jump_rule = IpWrangler::Command.append_rule('PREROUTING', 'nat', [IpWrangler::Parameter.jump("#{config['iptables_chain_name']}_PRE")])
+  IpWrangler::Exec.execute_iptables_command(command_append_pre_nat_jump_rule)
+end
+
+puts 'Appending rule, if not exists, to POSTROUTING chain...'
+command_check_post_nat_jump_rule = IpWrangler::Command.check_rule('POSTROUTING', 'nat', [IpWrangler::Parameter.jump("#{config['iptables_chain_name']}_POST")])
+IpWrangler::Exec.execute_iptables_command(command_check_post_nat_jump_rule)
+if $?.exitstatus == 1
+  command_append_post_nat_jump_rule = IpWrangler::Command.append_rule('POSTROUTING', 'nat', [IpWrangler::Parameter.jump("#{config['iptables_chain_name']}_POST")])
+  IpWrangler::Exec.execute_iptables_command(command_append_post_nat_jump_rule)
+end
+
+Bundler.require
+
+require File.dirname(__FILE__) + '/ip_wrangler/main.rb'
+
+set :environment, ENV['RACK_ENV'].to_sym
+set :app_file, 'ip_wrangler/main.rb'
+set :raise_errors, true
+
+use Rack::MethodOverride
+disable :run, :reload
+
+run Sinatra::Application

data/lib/config.yml.example

@@ -0,0 +1,20 @@
+log_dir: /tmp
+db_path: /tmp/ipt.db
+
+username: username
+password: password
+
+iptables_chain_name: IPT_WR
+
+ext_ip: 10.0.0.1
+port_ip: 10.0.0.1
+port_start: 1024
+port_stop: 2048
+
+# Example of IP list
+#ip:
+#  - 10.0.0.2
+#  - 10.0.0.3
+#  - 10.0.0.4
+
+ip:

data/lib/ip_wrangler/db.rb

@@ -0,0 +1,99 @@
+module IpWrangler
+  class DB
+    def initialize(db_name, logger)
+      @db = Sequel.connect('sqlite://' + db_name)
+      @logger = logger
+    end
+
+    def select_nat_port(private_ip = nil, private_port = nil, protocol = nil)
+      params = { private_ip: private_ip, private_port: private_port,
+                 protocol: protocol }.select do |_, value|
+        !value.nil?
+      end
+      nat_ports = []
+      @db[:nat_ports].where(params).each do |nat_port|
+        if nat_port[:private_port] && nat_port[:private_port]
+          nat_ports.push(nat_port)
+        end
+      end
+      nat_ports
+    end
+
+    def select_nat_ip(private_ip = nil, public_ip = nil)
+      params = { private_ip: private_ip, public_ip: public_ip }.select do |_, value|
+        !value.nil?
+      end
+      nat_ips = []
+      @db[:nat_ips].where(params).each do |nat_ip|
+        if nat_ip[:private_ip]
+          nat_ips.push(nat_ip)
+        end
+      end
+      nat_ips
+    end
+
+    def insert_nat_port(public_ip, public_port, private_ip, private_port, protocol)
+      params = { public_ip: public_ip, public_port: public_port,
+                 protocol: protocol }
+      data = { private_ip: private_ip, private_port: private_port }
+      @db[:nat_ports].where(params).update(data)
+      @logger.info("Insert nat ip port entry: #{public_ip}/#{public_port} -> "\
+          "#{private_ip}/#{private_port} (#{protocol})")
+    end
+
+    def insert_nat_ip(public_ip, private_ip)
+      params = { public_ip: public_ip }
+      data = { private_ip: private_ip }
+      @db[:nat_ips].where(params).update(data)
+      @logger.info("Insert nat ip entry: #{public_ip} -> #{private_ip}")
+    end
+
+    def delete_nat_port(private_ip, private_port = nil, protocol = nil)
+      params = { private_ip: private_ip, private_port: private_port,
+                 protocol: protocol }.select do |_, value|
+        !value.nil?
+      end
+      data = { private_ip: nil, private_port: nil }
+      @db[:nat_ports].where(params).update(data)
+      @logger.info("Delete nat ip port entry: #{private_ip}/#{private_port} (#{protocol})")
+    end
+
+    def delete_nat_ip(private_ip, public_ip = nil)
+      params = { private_ip: private_ip,
+                 public_ip: public_ip }.select do |_, value|
+        !value.nil?
+      end
+      data = { private_ip: nil }
+      @db[:nat_ips].where(params).update(data)
+      @logger.info("Delete nat ip entry: #{public_ip}")
+    end
+
+    def get_first_empty_nat_port(protocol)
+      params = { private_ip: nil, private_port: nil,
+                 protocol: protocol }
+      empty_nat_ports = @db[:nat_ports].where(params)
+      unless empty_nat_ports.empty?
+        return empty_nat_ports.to_a[0]
+      end
+      nil
+    end
+
+    def get_first_empty_nat_ip
+      params = { private_ip: nil }
+      empty_nat_ips = @db[:nat_ips].where(params)
+      unless empty_nat_ips.empty?
+        return empty_nat_ips.to_a[0]
+      end
+      nil
+    end
+
+    def not_exists_nat_port?(public_ip, public_port, protocol, private_ip, private_port)
+      @db[:nat_ports].where(public_ip: public_ip, public_port: public_port,
+        private_ip: private_ip, private_port: private_port, protocol: protocol).empty?
+    end
+
+    def not_exists_nat_ip?(public_ip, private_ip)
+      @db[:nat_ips].where(public_ip: public_ip, private_ip: private_ip).empty?
+    end
+  end
+end