iptables-ruby 0.2.4

data/Rakefile

@@ -0,0 +1,44 @@
+require "rubygems"
+require "rubygems/package_task"
+require "rdoc/task"
+
+# This builds the actual gem. For details of what all these options
+# mean, and other ones you can add, check the documentation here:
+#
+#   http://rubygems.org/read/chapter/20
+#
+
+# This task actually builds the gem. We also regenerate a static
+# .gemspec file, which is useful if something (i.e. GitHub) will
+# be automatically building a gem for this project. If you're not
+# using GitHub, edit as appropriate.
+#
+# To publish your gem online, install the 'gemcutter' gem; Read more 
+# about that here: http://gemcutter.org/pages/gem_docs
+Gem::PackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+desc "Build the gemspec file #{spec.name}.gemspec"
+task :gemspec do
+  file = File.dirname(__FILE__) + "/#{spec.name}.gemspec"
+  File.open(file, "w") {|f| f << spec.to_ruby }
+end
+
+# If you don't want to generate the .gemspec file, just remove this line. Reasons
+# why you might want to generate a gemspec:
+#  - using bundler with a git source
+#  - building the gem without rake (i.e. gem build blah.gemspec)
+#  - maybe others?
+task :package => :gemspec
+
+# Generate documentation
+RDoc::Task.new do |rd|
+  rd.rdoc_files.include("lib/**/*.rb")
+  rd.rdoc_dir = "rdoc"
+end
+
+desc 'Clear out RDoc and generated packages'
+task :clean => [:clobber_rdoc, :clobber_package] do
+  rm "#{spec.name}.gemspec"
+end

data/bin/check_firewall.rb

@@ -0,0 +1,220 @@
+#!/usr/bin/env ruby
+# Check whether the active firewall matches the merged/policy firewall
+
+config_path = '/var/lib/iptables'
+json_configs = %w/policy6 policy services macros rules primitives/
+@verbosity = 0
+compare_comments = true
+iptables_save_path = nil
+
+def exit_status(status = 0)
+  if @verbosity > 0
+    case status
+    when 0
+      colored = "0 (OK)".green
+    when 1
+      colored = "1 (Warning)".yellow
+    when 2
+      colored = '2 (Critical)'.red
+    when 3
+      colored = '3 (Unknown)'.red
+    else
+      colored = "#{status} (Not a Nagios status)".yellow
+    end
+    puts "exiting with status ".green + colored
+  end
+  exit status
+end
+
+# handle command-line args
+ARGV.each{ |arg|
+  case arg
+  when /^-c/
+    raise "specify configuration path using format '-c=/the/path'" unless arg.match(/^-c=(.+)/)
+    config_path = $1
+
+  when /^\-*h/, /^help/
+    # inspired by https://github.com/cespare/ruby-dedent
+    class String
+      def dedent
+        lines = split "\n"
+        return self if lines.empty?
+        # first indented line determines indent level
+        indentation = nil
+        lines.each{ |line|
+          next unless line =~ /^(\s+)/
+          indentation = $1
+          break
+        }
+        return self if indentation.nil?
+        lines.map { |line| line.sub(/^#{indentation}/, "") }.join "\n"
+      end
+    end
+
+    puts "
+    ### #{$0} ###
+    check whether firewall is applied
+    path to configurations for generated firewall:
+      #{config_path}
+    configuration json files:
+      #{json_configs.join(' ')}
+    options:
+      -c=/path/to/configuration:
+         path for configurations for generated firewall
+         leave blank for default
+      -h: this help
+      -ignore-comments:
+         when comparing firewalls, ignore comment differences
+      -l=/path/to/library:
+         path to iptables library, for testing
+         leave blank for default
+      -s=/path/to/iptables-save/output:
+         path to saved text output from `iptables-save`
+         if you specify this, it will be used instead of running `iptables-save`
+      -v: run verbosely
+         add more Vs for increased verbosity
+    ".dedent
+    exit
+
+  when /^-ignore-comments/
+    compare_comments = false
+
+  when /^-l/
+    # to test with a custom iptables lib:
+    raise "specify library path using format '-l=/the/path'" unless arg.match(/^-l=(.+)/)
+    raise "library path not found" unless File.directory? $1
+    require 'rubygems'
+    $:.unshift $1
+
+  when /^-s/
+    raise "specify `iptables-save` output path using format '-s=/the/path'" unless arg.match(/^-s=(.+)/)
+    iptables_save_path = $1
+
+  when /^-(v+)/
+    @verbosity = $1.length
+
+    # since we're verbose, make some colors
+    class String
+      def colorize(color_code)
+        "\e[#{color_code}m#{self}\e[0m"
+      end
+
+      def green
+        colorize(32)
+      end
+
+      def red
+        colorize(31)
+      end
+
+      def yellow
+        colorize(33)
+      end
+    end
+
+  else
+    raise "unknown argument: #{arg}"
+  end
+}
+
+%w/rubygems iptables/.each{ |module_name|
+  begin
+    require "#{module_name}"
+  rescue LoadError
+    puts "UNKNOWN: unable to load module '#{module_name}'"
+    exit_status 3
+  end
+}
+
+if @verbosity > 2
+  require 'logger'
+  $log = Logger.new(STDOUT)
+  $log.level = Logger::DEBUG
+end
+
+config = IPTables::Configuration.new
+puts "reading configs".green if @verbosity > 0
+json_configs.each{ |config_type|
+  config_file_path = "#{config_path}/#{config_type}.json"
+  puts " - #{config_file_path}".green if @verbosity > 1
+  unless File.readable? config_file_path
+    puts "UNKNOWN: could not read config_file_path #{config_file_path}"
+    exit_status 3
+  end
+  begin
+    config.parse_files(config_file_path)
+  rescue Exception => e
+    raise e if @verbosity > 0
+    puts "UNKNOWN: parsing #{config_file_path} failed: #{e.message}"
+    exit_status 3
+  end
+}
+
+puts "converging firewall".green if @verbosity > 0
+begin
+  policy_fw = config.converge_firewall
+  puts '--- CONVERGED FIREWALL BEGIN ---'.yellow if @verbosity > 1
+  puts policy_fw.as_array if @verbosity > 1
+  puts '--- CONVERGED FIREWALL END ---'.yellow if @verbosity > 1
+rescue Exception => e
+  raise e if @verbosity > 0
+  puts "UNKNOWN: firewall converge failed: #{e.message}"
+  exit_status 3
+end
+
+if iptables_save_path.nil?
+  puts "retrieving active firewall".green if @verbosity > 0
+  iptables_save = %x/iptables-save/
+else
+  puts "retrieving saved firewall".green if @verbosity > 0
+  puts " - #{iptables_save_path}".green if @verbosity > 1
+  unless File.readable? iptables_save_path
+    puts "UNKNOWN: could not read iptables_save_path #{iptables_save_path}"
+    exit_status 3
+  end
+  iptables_save = File.readlines(iptables_save_path).join()
+end
+puts '--- RETRIEVED FIREWALL BEGIN ---'.yellow if @verbosity > 1
+puts iptables_save if @verbosity > 1
+puts '--- RETRIEVED FIREWALL END ---'.yellow if @verbosity > 1
+if iptables_save.empty?
+  puts "UNKNOWN: iptables-save output is empty; do you have root permissions?"
+  exit_status 3
+end
+
+puts "parsing active firewall".green if @verbosity > 0
+begin
+  active_firewall = IPTables::Tables.new(iptables_save)
+  puts '--- PARSED FIREWALL BEGIN ---'.yellow if @verbosity > 1
+  puts active_firewall.as_array if @verbosity > 1
+  puts '--- PARSED FIREWALL END ---'.yellow if @verbosity > 1
+rescue Exception => e
+  raise e if @verbosity > 0
+  puts "UNKNOWN: unable to parse active firewall: #{e.message}"
+  exit_status 3
+end
+
+puts "comparing active firewall to converged firewall".green if @verbosity > 0
+puts "differences in comments are ".green + (compare_comments ? 'compared'.green : 'ignored'.red) if @verbosity > 0
+comparison = IPTables::TablesComparison.new(active_firewall, policy_fw)
+comparison.ignore_comments unless compare_comments
+unless comparison.equal?
+  if @verbosity > 2
+    require 'pp'
+    puts "--- BEGIN ACTIVE_FIREWALL AS ARRAY ---".yellow
+    pp active_firewall.as_array(comments = compare_comments)
+    puts "--- END ACTIVE_FIREWALL AS ARRAY ---".yellow
+    puts "--- BEGIN POLICY_FIREWALL AS ARRAY ---".yellow
+    pp policy_fw.as_array(comments = compare_comments)
+    puts "--- END POLICY_FIREWALL AS ARRAY ---".yellow
+  end
+  puts "--- BEGIN NAGIOS MESSAGE ---".yellow if @verbosity > 0
+  puts "WARNING: firewall needs to be applied"
+  puts comparison.as_array.join("\n")
+  puts "--- END NAGIOS MESSAGE ---".yellow if @verbosity > 0
+  exit_status 1
+end
+
+puts "Nagios message:" if @verbosity > 0
+puts "OK: active firewall matches policy firewall"
+exit_status

data/examples/policy/macros.json

@@ -0,0 +1,92 @@
+{
+  "macros": {
+    "accept-established": "-m state --state ESTABLISHED -j ACCEPT",
+    "accept-new_established": "-m state --state NEW,ESTABLISHED -j ACCEPT",
+    "accept-in_storage": [
+      {
+        "comment": "_ My storage ip address from storage addresses"
+      },
+      {
+        "interpolated": "-s <% storage.subnet %> -d <% storage.address %> -i <% storage.device %> -j ACCEPT",
+        "requires_primitive": "storage.address"
+      }
+    ],
+    "accept-related": "-m state --state RELATED -j ACCEPT",
+    "filter-attacks_and_probes": [
+      {
+        "comment": "_ Protect against attacks and probes"
+      },
+      "-m state --state INVALID -j DROP",
+      "-f -j strict_fragments",
+      "-p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j strict_nosyn",
+      "-p icmp -m icmp --icmp-type 8 -j strict_icmpflood",
+      "-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j strict_synflood",
+      "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j strict_malxmas",
+      "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j strict_malnull",
+      "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j strict_malbad",
+      "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j strict_malbad",
+      "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j strict_malbad",
+      "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j strict_malbad"
+    ],
+    "jump-in_peers": [
+      {
+        "comment": "_ My internet ip address on internet-facing network"
+      },
+      {
+        "interpolated": "-s <% internet.subnet.vpn %> -d <% internet.address %> -i <% internet.device %> -j in_peers"
+      },
+      {
+        "interpolated": "-s <% internet.subnet.internet %> -d <% internet.address %> -i <% internet.device %> -j in_peers"
+      }
+    ],
+    "jump-in_public": [
+      {
+        "comment": "_ Everything else"
+      },
+      {
+        "interpolated": "-d <% internet.address %> -i <% internet.device %> -j in_public"
+      }
+    ],
+    "log-drop": [
+      {
+        "comment": "_ Log and drop"
+      },
+      {
+        "ulog": ""
+      },
+      "-j DROP"
+    ],
+    "log-reject": [
+      {
+        "comment": "_ Log and reject"
+      },
+      {
+        "ulog": "-p tcp"
+      },
+      "-p tcp -j REJECT --reject-with tcp-reset"
+    ],
+    "return-iana": [
+      {
+        "comment": "_ IANA-reserved address spaces"
+      },
+      {
+        "interpolated": "-s <% iana_reserved %> -j RETURN"
+      }
+    ],
+    "return-martians": [
+      {
+        "comment": "Requests from networks that should never appear here"
+      },
+      {
+        "interpolated": "-s <% internet.subnet.vpn %> -j RETURN"
+      },
+      {
+        "interpolated": "-s <% internet.subnet.internet %> -j RETURN"
+      },
+      {
+        "interpolated": "-s <% storage.subnet %> -j RETURN",
+        "requires_primitive": "storage.address"
+      }
+    ]
+  }
+}

data/examples/policy/policy.json

@@ -0,0 +1,208 @@
+{
+  "policy": {
+    "filter": {
+      "INPUT": {
+        "policy": "DROP",
+        "rules": [
+          {
+            "comment": "BEGIN: in-bound traffic"
+          },
+          "-i lo -j ACCEPT",
+          {
+            "node_addition_points": [
+              "INPUT"
+            ]
+          },
+          {
+            "macro": "accept-in_storage",
+            "requires_primitive": "storage.address"
+          },
+          {
+            "macro": "jump-in_peers"
+          },
+          {
+            "macro": "jump-in_public"
+          },
+          {
+            "macro": "accept-related"
+          },
+          {
+            "macro": "log-drop"
+          }
+        ]
+      },
+      "FORWARD": {
+        "policy": "DROP",
+        "rules": [
+          {
+            "comment": "BEGIN: forwarded traffic"
+          },
+          {
+            "node_addition_points": [
+              "FORWARD"
+            ]
+          },
+          {
+            "macro": "accept-related"
+          },
+          {
+            "macro": "log-drop"
+          }
+        ]
+      },
+      "OUTPUT": {
+        "policy": "ACCEPT"
+      },
+      "in_peers": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for my internet ip address on internet-facing network card from peer hosts"
+          },
+          {
+            "macro": "accept-established"
+          },
+          {
+            "service": "icmp"
+          },
+          {
+            "service": "ssh"
+          },
+          {
+            "node_addition_points": [
+              "in_peers",
+              "in_*"
+            ]
+          },
+          {
+            "macro": "accept-related"
+          },
+          {
+            "macro": "log-reject"
+          }
+        ]
+      },
+      "in_public": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for my internet ip address on internet-facing network card from internet hosts"
+          },
+          {
+            "macro": "return-iana"
+          },
+          {
+            "macro": "return-martians"
+          },
+          {
+            "macro": "accept-established"
+          },
+          {
+            "macro": "filter-attacks_and_probes"
+          },
+          {
+            "node_addition_points": [
+              "in_public",
+              "in_*"
+            ]
+          },
+          {
+            "macro": "accept-related"
+          },
+          {
+            "macro": "log-drop"
+          }
+        ]
+      },
+      "strict_fragments": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for handling packet fragments"
+          },
+          {
+            "ulog": ""
+          },
+          "-j DROP"
+        ]
+      },
+      "strict_icmpflood": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for handling icmp floods"
+          },
+          "-m limit --limit 100/sec --limit-burst 50 -j RETURN",
+          {
+            "ulog": ""
+          },
+          "-j DROP"
+        ]
+      },
+      "strict_malbad": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for handling malformed/bad packets"
+          },
+          {
+            "ulog": ""
+          },
+          "-j DROP"
+        ]
+      },
+      "strict_malnull": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for handling malformed/null packets"
+          },
+          {
+            "ulog": ""
+          },
+          "-j DROP"
+        ]
+      },
+      "strict_malxmas": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for handling malformed/xmas packets"
+          },
+          {
+            "ulog": ""
+          },
+          "-j DROP"
+        ]
+      },
+      "strict_nosyn": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for handling new TCP packets without SYN"
+          },
+          {
+            "ulog": ""
+          },
+          "-j DROP"
+        ]
+      },
+      "strict_synflood": {
+        "policy": "-",
+        "rules": [
+          {
+            "comment": "BEGIN: chain for handling Syn floods"
+          },
+          "-m limit --limit 100/sec --limit-burst 50 -j RETURN",
+          {
+            "ulog": ""
+          },
+          "-j DROP"
+        ]
+      }
+    },
+    "mangle": null,
+    "nat": null,
+    "raw": null
+  }
+}