ip-wrangler 0.1.0

data/lib/ip_wrangler/exec.rb

@@ -0,0 +1,17 @@
+module IpWrangler
+  module Exec
+    $iptables_bin_path = '/usr/bin/sudo /sbin/iptables'
+
+    extend self
+
+    def execute_command(command)
+      output = `#{command}`
+      puts "Execute: #{command} => output: #{output}, result: #{$?.exitstatus}"
+      output
+    end
+
+    def execute_iptables_command(command)
+      execute_command("#{$iptables_bin_path} #{command}")
+    end
+  end
+end

data/lib/ip_wrangler/ip.rb

@@ -0,0 +1,37 @@
+module IpWrangler
+  module Ip
+    def parse_ip(ip)
+      ip.split(/\./).map { |octet| octet.to_i }
+    end
+
+    def str_ip(ip)
+      "#{ip[0]}.#{ip[1]}.#{ip[2]}.#{ip[3]}"
+    end
+
+    def validate_ip(ip)
+      ip.select { |octet| octet < 0 || octet > 255 }.length == 0
+    end
+
+    def range_ips(start, stop)
+      if validate_ip(start) && validate_ip(stop)
+        start = start.inject { |sum, octet| sum * 256 + octet }
+        stop = stop.inject { |sum, octet| sum * 256 + octet }
+
+        (start..stop).map do |ip|
+          IP.new([(ip / 16777216) % 256,
+                  (ip / 65536) % 256,
+                  (ip / 256) % 256,
+                  ip % 256])
+        end
+      end
+    end
+
+    def validate_port(port)
+      port > 0 && port < 65536
+    end
+
+    def range_ports(start, stop, ip, protocol)
+      (start..stop).map { |port| Port.new(ip, port, protocol) }
+    end
+  end
+end

data/lib/ip_wrangler/iptables.rb

@@ -0,0 +1,222 @@
+module IpWrangler
+  class Iptables
+    $iptables_bin_path = '/usr/bin/sudo /sbin/iptables'
+    $awk_bin_path = '/usr/bin/awk'
+    $tail_bin_path = '/usr/bin/tail'
+    $grep_bin_path = '/bin/grep'
+
+    def initialize(chain_name, logger)
+      @chain_name = chain_name
+      @logger = logger
+    end
+
+    def rule_nat_port(public_ip, public_port, private_ip, private_port, protocol)
+      [Parameter.destination(public_ip),
+       Parameter.protocol(protocol),
+       Parameter.destination_port(public_port),
+       Parameter.jump('DNAT'),
+       Parameter.to_destination("#{private_ip}:#{private_port}")]
+    end
+
+    def rule_nat_ip(public_ip, private_ip)
+      rule_dnat = [Parameter.destination(public_ip),
+                   Parameter.jump('DNAT'),
+                   Parameter.to_destination(private_ip)]
+      rule_snat = [Parameter.source(private_ip),
+                   Parameter.jump('SNAT'),
+                   Parameter.to(public_ip)]
+      return rule_dnat, rule_snat
+    end
+
+    def append_nat_port(public_ip, public_port, private_ip, private_port, protocol)
+      rule = rule_nat_port(public_ip, public_port, private_ip, private_port, protocol)
+
+      execute(Command.check_rule("#{@chain_name}_PRE", 'nat', rule))
+      if $?.exitstatus == 1
+        execute(Command.append_rule("#{@chain_name}_PRE", 'nat', rule))
+      end
+    end
+
+    def append_nat_ip(public_ip, private_ip)
+      rule_dnat, rule_snat = rule_nat_ip(public_ip, private_ip)
+
+      execute(Command.check_rule("#{@chain_name}_PRE", 'nat', rule_dnat))
+      if $?.exitstatus == 1
+        execute(Command.append_rule("#{@chain_name}_PRE", 'nat', rule_dnat))
+      end
+      execute(Command.check_rule("#{@chain_name}_POST", 'nat', rule_snat))
+      if $?.exitstatus == 1
+        execute(Command.append_rule("#{@chain_name}_POST", 'nat', rule_snat))
+      end
+    end
+
+    def delete_nat_port(public_ip, public_port, private_ip, private_port, protocol)
+      rule = rule_nat_port(public_ip, public_port, private_ip, private_port, protocol)
+
+      execute(Command.delete_rule_spec("#{@chain_name}_PRE", rule, 'nat'))
+    end
+
+    def delete_nat_ip(public_ip, private_ip)
+      rule_dnat, rule_snat = rule_nat_ip(public_ip, private_ip)
+
+      command_dnat = Command.delete_rule_spec("#{@chain_name}_PRE", rule_dnat, 'nat')
+      command_snat = Command.delete_rule_spec("#{@chain_name}_POST", rule_snat, 'nat')
+      execute(command_dnat, command_snat)
+    end
+
+    def not_exists_nat_port?(public_ip, public_port, protocol, _, _)
+      command = "#{$iptables_bin_path} -t nat -n -v -L #{@chain_name}_PRE | "\
+        "#{$awk_bin_path} '{print $9, $10, $11, $12}' | "\
+        "#{$grep_bin_path} -i '^#{public_ip} #{protocol} dpt:#{public_port}'"
+      output = IpWrangler::Exec.execute_command(command)
+      output.empty?
+    end
+
+    def not_exists_nat_ip?(public_ip, _)
+      command = "#{$iptables_bin_path} -t nat -n -v -L #{@chain_name}_PRE | "\
+        "#{$awk_bin_path} '{print $9, $10}' | "\
+        "#{$grep_bin_path} -i '^#{public_ip}'"
+      output = IpWrangler::Exec.execute_command(command)
+      output.empty?
+    end
+
+    def execute(*commands)
+      commands.each do |command|
+        IpWrangler::Exec.execute_iptables_command("#{command}")
+      end
+    end
+  end
+
+  class Command
+    @@commands = {
+      append_rule: '--append',
+      insert_rule: '--insert',
+      replace_rule: '--replace',
+      check_rule: '--check',
+      delete_rule: '--delete',
+      new_chain: '--new-chain',
+      rename_chain: '--rename-chain',
+      policy_chain: '--policy',
+      zero_chain: '--zero',
+      flush_chain: '--flush',
+      delete_chain: '--delete-chain'
+    }
+
+    def self.parameters_to_s(parameters)
+      __parameters = ''
+      parameters.each { |parameter| __parameters = "#{__parameters} #{parameter} " }
+      "#{__parameters}".gsub(/\s+/, ' ')
+    end
+
+    def self.append_rule(chain, table, parameters)
+      "-t #{table} #{@@commands[:append_rule]} #{chain} #{parameters_to_s(parameters)}"
+    end
+
+    def self.insert_rule(chain, num, table, parameters)
+      "-t #{table} #{@@commands[:insert_rule]} #{chain} #{num} #{parameters_to_s(parameters)}"
+    end
+
+    def self.replace_rule(chain, num, table, parameters)
+      "-t #{table} #{@@commands[:replace_rule]} #{chain} #{num} #{parameters_to_s(parameters)}"
+    end
+
+    def self.check_rule(chain, table, parameters)
+      "-t #{table} #{@@commands[:check_rule]} #{chain} #{parameters_to_s(parameters)}"
+    end
+
+    def self.delete_rule(chain, num, table)
+      "-t #{table} #{@@commands[:delete_rule]} #{chain} #{num}"
+    end
+
+    def self.delete_rule_spec(chain, parameters, table)
+      "-t #{table} #{@@commands[:delete_rule]} #{chain} #{parameters_to_s(parameters)}"
+    end
+
+    def self.new_chain(chain, table)
+      "-t #{table} #{@@commands[:new_chain]} #{chain}"
+    end
+
+    def self.rename_chain(old_chain, new_chain, table)
+      "-t #{table} #{@@commands[:rename_chain]} #{old_chain} #{new_chain}"
+    end
+
+    def self.policy_chain(chain, target, table)
+      "-t #{table} #{@@commands[:policy_chain]} #{chain} #{target}"
+    end
+
+    def self.zero_chain(chain, num, table)
+      "-t #{table} #{@@commands[:zero_chain]} #{chain} #{num}"
+    end
+
+    def self.flush_chain(chain, table)
+      "-t #{table} #{@@commands[:flush_chain]} #{chain}"
+    end
+
+    def self.delete_chain(chain, table)
+      "-t #{table} #{@@commands[:delete_chain]} #{chain}"
+    end
+  end
+
+  class Parameter
+    @@parameters = {
+      protocol: '--protocol',
+      source: '--source',
+      destination: '--destination',
+      source_port: '--source-port',
+      destination_port: '--destination-port',
+      in_interface: '--in-interface',
+      out_interface: '--out-interface',
+      to_destination: '--to-destination',
+      to: '--to',
+      jump: '--jump'
+    }
+
+    def initialize(name, value = nil)
+      @name, @value = name, value
+    end
+
+    def to_s
+      "#{@name} #{@value}"
+    end
+
+    def self.protocol(protocol)
+      new(@@parameters[:protocol], protocol)
+    end
+
+    def self.source(source)
+      new(@@parameters[:source], source)
+    end
+
+    def self.destination(destination)
+      new(@@parameters[:destination], destination)
+    end
+
+    def self.source_port(source_port)
+      new(@@parameters[:source_port], source_port)
+    end
+
+    def self.destination_port(destination_port)
+      new(@@parameters[:destination_port], destination_port)
+    end
+
+    def self.in_interface(in_interface)
+      new(@@parameters[:in_interface], in_interface)
+    end
+
+    def self.out_interface(out_interface)
+      new(@@parameters[:out_interface], out_interface)
+    end
+
+    def self.to_destination(destination)
+      new(@@parameters[:to_destination], destination)
+    end
+
+    def self.to(destination)
+      new(@@parameters[:to], destination)
+    end
+
+    def self.jump(target)
+      new(@@parameters[:jump], target)
+    end
+  end
+end

data/lib/ip_wrangler/main.rb

@@ -0,0 +1,324 @@
+config_file = ENV['__config_file']
+$config = YAML.load_file(config_file)
+
+use Rack::Auth::Basic, 'Restricted Area' do |username, password|
+  [username, password] == [$config['username'], $config['password']]
+end
+
+$logger = Logger.new("#{$config['log_dir']}/app_output.log")
+
+$nat = IpWrangler::NAT.new($config, $logger)
+
+def sandbox(&block)
+  begin
+    content_type('application/json')
+    yield
+  rescue RuntimeError => e
+    $logger.error("Runtime error: #{e}:#{e.backtrace}")
+    400
+  rescue Exception => e
+    $logger.error("Unresolved exception: #{e}:#{e.backtrace}")
+    500
+  end
+end
+
+def valid_ip?(ip)
+  (ip =~ /^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/) ? true : false
+end
+
+def valid_port?(port)
+  (1..65535).include?(port)
+end
+
+def valid_protocol?(protocol)
+  protocol =~ /^(tcp|udp)$/i ? true : false
+end
+
+def release_ip_and_check(private_ip, public_ip = nil)
+  released_ip = $nat.release_ip(private_ip, public_ip)
+  check_released_resource(released_ip)
+end
+
+def release_port_and_check(private_ip, private_port = nil, protocol = nil)
+  released_port = $nat.release_port(private_ip, private_port, protocol)
+  check_released_resource(released_port)
+end
+
+def check_released_resource(released_resource)
+  if released_resource.length > 0
+    [200, released_resource.to_json]
+  else
+    204
+  end
+end
+
+# List any NAT port(s)
+get '/nat/port' do
+  sandbox do
+    $nat.get_nat_ports.map { |nat_port|
+      puts nat_port[:public_ip]
+      nat_port[:public_ip] = $config['ext_ip']
+      nat_port
+    }.to_json
+  end
+end
+
+# List NAT port(s) for specified private IP
+get '/nat/port/*' do |private_ip|
+  sandbox do
+    if valid_ip?(private_ip)
+      $nat.get_nat_ports(private_ip).map { |nat_port|
+        puts nat_port[:public_ip]
+        nat_port[:public_ip] = $config['ext_ip']
+        nat_port
+      }.to_json
+    else
+      500
+    end
+  end
+end
+
+# List any NAT IP(s)
+get '/nat/ip' do
+  sandbox do
+    $nat.get_nat_ips.map { |nat_ip| nat_ip }.to_json
+  end
+end
+
+# List NAT IP(s) for specified private IP
+get '/nat/ip/*' do |private_ip|
+  sandbox do
+    if valid_ip?(private_ip)
+      $nat.get_nat_ips(private_ip).map { |nat_ip| nat_ip }.to_json
+    else
+      500
+    end
+  end
+end
+
+# Create NAT port(s) for specified IP
+post '/nat/port/*/*/*' do |private_ip, private_port, protocol|
+  sandbox do
+    private_port = private_port.to_i
+    if valid_ip?(private_ip) && valid_port?(private_port) && valid_protocol?(protocol)
+      public_ip_port = $nat.lock_port(private_ip, private_port, protocol)
+
+      if public_ip_port
+        public_ip_port[:public_ip] = $config['ext_ip']
+        public_ip_port.to_json
+      else
+        404
+      end
+    else
+      500
+    end
+  end
+end
+
+# Create NAT port(s) for specified IP
+post '/nat/port/*/*' do |private_ip, private_port|
+  sandbox do
+    private_port = private_port.to_i
+    if valid_ip?(private_ip) && valid_port?(private_port)
+      public_ip_port_tcp = $nat.lock_port(private_ip, private_port, 'tcp')
+      public_ip_port_udp = $nat.lock_port(private_ip, private_port, 'udp')
+
+      out = nil
+
+      if public_ip_port_tcp
+        public_ip_port_tcp[:public_ip] = $config['ext_ip']
+        out = "#{public_ip_port_tcp.to_json}"
+      end
+
+      if public_ip_port_udp
+        public_ip_port_udp[:public_ip] = $config['ext_ip']
+        if out
+          out += ",#{public_ip_port_udp.to_json}"
+        else
+          out = "#{public_ip_port_udp.to_json}"
+        end
+      end
+
+      if out
+        out = "[#{out}]"
+        out
+      else
+        404
+      end
+    else
+      500
+    end
+  end
+end
+
+# Create NAT IP for specified private IP
+post '/nat/ip/*' do |private_ip|
+  sandbox do
+    if valid_ip?(private_ip)
+      public_ip = $nat.lock_ip(private_ip)
+
+      if public_ip
+        public_ip.to_json
+      else
+        404
+      end
+    else
+      500
+    end
+  end
+end
+
+# Delete NAT port with specified protocol for specified IP
+delete '/nat/port/*/*/*' do |private_ip, private_port, protocol|
+  sandbox do
+    private_port = private_port.to_i
+    if valid_ip?(private_ip) && valid_port?(private_port) && valid_protocol?(protocol)
+      release_port_and_check(private_ip, private_port, protocol)
+    else
+      500
+    end
+  end
+end
+
+# Delete NAT port with any protocol (TCP and UDP) for specified IP
+delete '/nat/port/*/*' do |private_ip, private_port|
+  sandbox do
+    private_port = private_port.to_i
+    if valid_ip?(private_ip) && valid_port?(private_port)
+      release_port_and_check(private_ip, private_port)
+    else
+      500
+    end
+  end
+end
+
+# Delete any NAT ports for specified IP
+delete '/nat/port/*' do |private_ip|
+  sandbox do
+    if valid_ip?(private_ip)
+      release_port_and_check(private_ip)
+    else
+      500
+    end
+  end
+end
+
+# Delete NAT IP for specified IP
+delete '/nat/ip/*/*' do |private_ip, public_ip|
+  sandbox do
+    if valid_ip?(private_ip) && valid_ip?(public_ip)
+      release_ip_and_check(private_ip, public_ip)
+    else
+      500
+    end
+  end
+end
+
+# Delete NAT any IP(s) for specified IP
+delete '/nat/ip/*' do |private_ip|
+  sandbox do
+    if valid_ip?(private_ip)
+      release_ip_and_check(private_ip)
+    else
+      500
+    end
+  end
+end
+
+# OLD API (compatibility)
+
+get '/' do
+  'IptWr REST Endpoint!'
+end
+
+get '/dnat' do
+  sandbox do
+    $nat.get_nat_ports.map { |nat_port|
+      nat_port[:public_ip] = $config['ext_ip']
+      nat_port[:privPort] = nat_port[:private_port]
+      nat_port[:pubIp] = nat_port[:public_ip]
+      nat_port[:pubPort] = nat_port[:public_port]
+      nat_port
+    }.to_json
+  end
+end
+
+get '/dnat/*' do |ip|
+  sandbox do
+    if valid_ip?(ip)
+      $nat.get_nat_ports(ip).map { |nat_port|
+        nat_port[:public_ip] = $config['ext_ip']
+        nat_port[:privPort] = nat_port[:private_port]
+        nat_port[:pubIp] = nat_port[:public_ip]
+        nat_port[:pubPort] = nat_port[:public_port]
+        nat_port
+      }.to_json
+    else
+      500
+    end
+  end
+end
+
+post '/dnat/*' do |ip|
+  sandbox do
+    redirects = []
+
+    request.body.rewind
+    data = JSON.parse(request.body.read)
+
+    if valid_ip?(ip)
+      data.each do |dpp|
+        if valid_port?(dpp['port']) && valid_protocol?(dpp['proto'])
+          redir = $nat.lock_port(ip, dpp['port'], dpp['proto'])
+          if redir
+            redir[:public_ip] = $config['ext_ip']
+            redir[:privPort] = redir[:private_port]
+            redir[:pubIp] = redir[:public_ip]
+            redir[:pubPort] = redir[:public_port]
+            redirects.push(redir)
+          end
+        end
+      end
+
+      if redirects.length > 0
+        redirects.to_json
+      else
+        404
+      end
+    else
+      500
+    end
+  end
+end
+
+delete '/dnat/*/*/*' do |ip, port, proto|
+  sandbox do
+    port = port.to_i
+    if valid_ip?(ip) && valid_port?(port) && valid_protocol?(proto)
+      release_port_and_check(ip, port, proto)
+    else
+      500
+    end
+  end
+end
+
+delete '/dnat/*/*' do |ip, port|
+  sandbox do
+    port = port.to_i
+    if valid_ip?(ip) && valid_port?(port)
+      release_port_and_check(ip, port)
+    else
+      500
+    end
+  end
+end
+
+delete '/dnat/*' do |ip|
+  sandbox do
+    if valid_ip?(ip)
+      release_port_and_check(ip)
+    else
+      500
+    end
+  end
+end