iptables-ruby 0.2.4

data/examples/policy/policy6.json

@@ -0,0 +1,8 @@
+{
+  "policy6": {
+    "filter": "DROP",
+    "mangle": "DROP",
+    "nat": "DROP",
+    "raw": "DROP"
+  }
+}

data/examples/policy/primitives.json

@@ -0,0 +1,40 @@
+{
+  "primitives": {
+    "iana_reserved": [
+      "0.0.0.0/8", 
+      "5.0.0.0/8", 
+      "10.0.0.0/8", 
+      "36.0.0.0/7", 
+      "39.0.0.0/8", 
+      "42.0.0.0/8", 
+      "49.0.0.0/8", 
+      "100.0.0.0/6", 
+      "104.0.0.0/7", 
+      "106.0.0.0/8", 
+      "127.0.0.0/8", 
+      "179.0.0.0/8", 
+      "185.0.0.0/8", 
+      "240.0.0.0/4", 
+      "169.254.0.0/16", 
+      "172.16.0.0/12", 
+      "192.0.2.0/24", 
+      "192.88.99.0/24", 
+      "192.168.0.0/16"
+    ], 
+    "internet": {
+      "address": "198.51.100.10/32", 
+      "broadcast": "198.51.100.255/32", 
+      "device": "eth0", 
+      "subnet": {
+        "internet": "198.51.100.0/24", 
+        "vpn": "203.0.113.0/24"
+      }
+    }, 
+    "storage": {
+      "address": "192.0.2.100/32", 
+      "device": "eth1", 
+      "subnet": "192.0.2.0/24"
+    }
+  }
+}
+

data/examples/policy/rules.json

@@ -0,0 +1,30 @@
+{
+  "rules": {
+    "nat": {
+      "INPUT": {
+        "policy": "ACCEPT"
+      },
+      "OUTPUT": {
+        "policy": "ACCEPT"
+      },
+      "POSTROUTING": {
+        "policy": "ACCEPT"
+      },
+      "PREROUTING": {
+        "policy": "ACCEPT"
+      }
+    },
+    "filter": {
+      "in_*": {
+        "additions": []
+      }, 
+      "in_peers": {
+        "additions": []
+      }, 
+      "in_public": {
+        "additions": []
+      }
+    }
+  }
+}
+

data/examples/policy/services.json

@@ -0,0 +1,81 @@
+{
+  "services": {
+    "dhcp": "-p udp -m udp --sport 67:68 --dport 67:68 -m state --state NEW,ESTABLISHED -j ACCEPT",
+    "domain": [
+      "-p udp -m udp --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT",
+      {
+        "service_udp": "53"
+      },
+      "-p tcp -m tcp --sport 53 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT",
+      {
+        "service_tcp": "53"
+      }
+    ],
+    "http": 80,
+    "https": 443,
+    "icmp": "-p icmp -m state --state NEW,ESTABLISHED -j ACCEPT",
+    "ipp": 631,
+    "jabber": [
+      {
+        "service_tcp": "5222"
+      },
+      {
+        "service_tcp": "5223"
+      }
+    ],
+    "ldap": 389,
+    "ldaps": 636,
+    "mysql": 3306,
+    "nfs": [
+      {
+        "service_tcp": "2049"
+      },
+      {
+        "service_udp": "2049"
+      }
+    ],
+    "ntp": [
+      "-p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT",
+      {
+        "service_udp": "123"
+      },
+      "-p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT",
+      {
+        "service_tcp": "123"
+      }
+    ],
+    "portmap": [
+      {
+        "service_tcp": "111"
+      },
+      {
+        "service_udp": "111"
+      }
+    ],
+    "postgres": 5432,
+    "rabbitmq": [
+      {
+        "service_tcp": "5670:5680"
+      },
+      {
+        "service_udp": "5670:5680"
+      }
+    ],
+    "smtp": 25,
+    "snmp": 161,
+    "ssh": 22,
+    "syslog": [
+      "-p udp -m udp --sport 514 --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT",
+      {
+        "service_udp": "514"
+      },
+      "-p tcp -m tcp --sport 514 --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT",
+      {
+        "service_tcp": "514"
+      }
+    ],
+    "tftp": {
+      "service_udp": "69"
+    }
+  }
+}

data/lib/iptables.rb

@@ -0,0 +1,5 @@
+require 'iptables/logger'
+require 'iptables/tables'
+require 'iptables/expansions'
+require 'iptables/primitives'
+require 'iptables/configuration'

data/lib/iptables/configuration.rb

@@ -0,0 +1,116 @@
+require 'json'
+
+module IPTables
+  class Configuration
+    @@json_pattern = /\.js(on)?$/
+
+    def initialize(*args)
+      @parsed_hash = {}
+      self.parse_files(*args)
+    end
+
+    def parse_files(*args)
+      args.each{ |arg|
+        $log.debug("reading arg #{arg}")
+        case arg
+        when @@json_pattern
+          handle_json(arg)
+        else
+          raise "don't know how to handle #{arg.inspect}"
+        end
+      }
+    end
+
+    def policy(in_policy = nil)
+      @policy ||= nil
+      return @policy unless @policy.nil?
+      unless in_policy.nil?
+        @policy = in_policy
+        return @policy
+      end
+      raise 'missing policy' unless @parsed_hash.has_key? 'policy'
+      @policy = IPTables::Tables.new(@parsed_hash['policy'], self)
+    end
+
+    def policy6(in_policy = nil)
+      @policy6 ||= nil
+      return @policy6 unless @policy6.nil?
+      unless in_policy.nil?
+        @policy6 = in_policy
+        return @policy6
+      end
+      raise 'missing policy6' unless @parsed_hash.has_key? 'policy6'
+      @policy6 = IPTables::Tables.new(@parsed_hash['policy6'], self)
+    end
+
+    def interpolations(in_interpolations = nil)
+      @interpolations ||= nil
+      return @interpolations unless @interpolations.nil?
+      unless in_interpolations.nil?
+        @interpolations = in_interpolations
+        return @interpolations
+      end
+      @interpolations = IPTables::Interpolations.new(self.primitives)
+    end
+
+    def primitives(in_primitives = nil)
+      @primitives ||= nil
+      return @primitives unless @primitives.nil?
+      unless in_primitives.nil?
+        @primitives = in_primitives
+        return @primitives
+      end
+      raise 'missing primitives' unless @parsed_hash.has_key? 'primitives'
+      @primitives = IPTables::Primitives.new(@parsed_hash['primitives'])
+    end
+
+    def rules(in_rules = nil)
+      @rules ||= nil
+      return @rules unless @rules.nil?
+      unless in_rules.nil?
+        @rules = in_rules
+        return @rules
+      end
+      raise 'missing rules' unless @parsed_hash.has_key? 'rules'
+      @rules = IPTables::Tables.new(@parsed_hash['rules'], self)
+    end
+
+    def services(in_services = nil)
+      @services ||= nil
+      return @services unless @services.nil?
+      unless in_services.nil?
+        @services = in_services
+        return @services
+      end
+      raise 'missing services' unless @parsed_hash.has_key? 'services'
+      @services = IPTables::Services.new(@parsed_hash['services'])
+    end
+
+    def macros(in_macros = nil)
+      @macros ||= nil
+      return @macros unless @macros.nil?
+      unless in_macros.nil?
+        @macros = in_macros
+        return @macros
+      end
+      raise 'missing macros' unless @parsed_hash.has_key? 'macros'
+      @macros = IPTables::Macros.new(@parsed_hash['macros'])
+    end
+
+    def handle_json(file_name)
+      json = File.read(file_name)
+      JSON.parse(json).each{ |key, value|
+        $log.debug("reading #{key} from file #{file_name}")
+        raise "duplicate key: #{key}" if @parsed_hash.has_key? key
+        @parsed_hash[key] = value
+      }
+    end
+
+    def converge_firewall()
+      policy_fw = self.policy
+      rules_fw = self.rules
+      policy_fw.merge(rules_fw)
+      return policy_fw
+    end
+  end
+end

data/lib/iptables/expansions.rb

@@ -0,0 +1,189 @@
+require 'iptables/logger'
+
+module IPTables
+  class Macros
+    attr_reader :named
+    def initialize(expansion_hash)
+      @expansion_hash = expansion_hash
+      @named = {}
+      @expansion_hash.each{ |name, info|
+        @named[name] = Macro.new(name, info)
+      }
+    end
+  end
+
+  class Macro
+    attr_reader :name, :children
+    def initialize(name, info)
+      @name = name
+      @info = info
+      @children = []
+
+      case info
+      when Array
+        self.handle_array()
+      when Hash
+        self.handle_hash()
+      when String
+        self.handle_string()
+      else
+        raise "don't know how to handle info: #{info.inspect}"
+      end
+    end
+
+    def add_child(rule_hash)
+      @children.push(rule_hash)
+    end
+
+    def handle_array()
+      @info.each{ |macro_hash|
+        self.add_child(macro_hash)
+      }
+    end
+
+    def handle_hash()
+      self.add_child( @info )
+    end
+
+    def handle_string()
+      self.add_child( {'raw' => @info} )
+    end
+  end
+
+  class Services
+    attr_reader :named
+    def initialize(expansion_hash)
+      @expansion_hash = expansion_hash
+      @named = {}
+      @expansion_hash.each{ |name, info|
+        @named[name] = Service.new(name, info)
+      }
+    end
+  end
+
+  class Service
+    attr_reader :name, :children
+    def initialize(name, info)
+      @name = name
+      @info = info
+      @children = []
+
+      case info
+      when Array
+        self.handle_array()
+      when Hash
+        self.handle_hash()
+      when Integer
+        self.handle_integer()
+      when String
+        self.handle_string()
+      else
+        raise "don't know how to handle info: #{info.inspect}"
+      end
+    end
+
+    def add_child(rule_hash)
+      @children.push(rule_hash)
+    end
+
+    def handle_array()
+      self.add_child( { 'comment' => "_ #{@name}" } )
+      raise 'empty @info' if @info.empty?
+      @info.each{ |service_info_hash|
+        self.add_child(service_info_hash)
+      }
+    end
+
+    def handle_hash()
+      raise 'empty @info' if @info.empty?
+      @info['service_name'] = @name
+      self.add_child( @info )
+    end
+
+    def handle_integer()
+      self.add_child( { 'comment' => "_ Port #{@info} - #{@name}" } )
+      self.add_child({ 
+        'raw' =>
+        "-p tcp -m tcp --sport 1024:65535 --dport #{@info} -m state --state NEW,ESTABLISHED -j ACCEPT"
+      })
+    end
+
+    def handle_string()
+      self.add_child( { 'comment' => "_ #{@name}" } )
+      self.add_child( {'raw' => @info} )
+    end
+  end
+
+  class Interpolations
+    # interpret strings such as "<% foo.bar %>" into equivalent primitives
+    attr_reader :primitives, :named
+    def initialize(primitives)
+      @primitives = primitives
+      $log.debug("interpolations primitives: #{@primitives}")
+      @named = {}
+    end
+
+    def add(interpolation_string)
+      @named[interpolation_string] = Interpolation.new(self, interpolation_string)
+    end
+
+    def children(interpolation_string)
+      self.add(interpolation_string) unless @named.has_key? interpolation_string
+      strings = @named[interpolation_string].children()
+      returned_array = []
+      case strings
+      when Array
+        strings.each{ |result|
+          returned_array.push({'raw' => result})
+        }
+      else
+        returned_array.push({'raw' => strings})
+      end
+      return returned_array
+    end
+  end
+
+  class Interpolation
+    @@interpolation_regex = /(.*?)<%\s*(\S+)\s*%>(.*)/
+
+    def initialize(interpolations, initial_string)
+      @interpolations = interpolations
+      @initial_string = initial_string
+      @child = nil
+      if @initial_string =~ @@interpolation_regex
+        self.add_child($1, $2, $3)
+      else
+        $log.debug("completed substitution: #{@initial_string}")
+      end
+    end
+
+    def add_child(first, identifier, last)
+      interpolated = @interpolations.primitives.substitute(identifier)
+      case interpolated
+      when Array
+        @child = []
+        interpolated.each{ |value|
+          @child.push(Interpolation.new(@interpolations, "#{first}#{value}#{last}"))
+        }
+      else
+        @child = Interpolation.new(@interpolations, "#{first}#{interpolated}#{last}")
+      end
+    end
+
+    def children()
+      return_value = nil
+      case @child
+      when nil
+        return_value = @initial_string
+      when Array
+        return_value = []
+        @child.each{ |value|
+          return_value.push(value.children())
+        }
+      else
+        return_value = @child.children()
+      end
+      return return_value
+    end
+  end
+end