le1t0-deprec 2.1.6.057 → 2.1.6.058

data/lib/deprec/templates/iptables/firewall-init.erb

@@ -2,185 +2,151 @@
 # Copyright 2009-2010 by le1t0@github. All rights reserved.
 
 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
-DRYRUN="NO" # Set to exactly YES to enable dry runs
-IPTABLES="/sbin/iptables"
-IPTABLES_SAVE="/sbin/iptables-save"
-ENABLED=1
+IPTABLES="<%= iptables_binary || "/sbin/iptables" %>"
+IPTABLES_SAVE="<%= iptables_save_binary || "/sbin/iptables-save" %>"
 
 test -x $IPTABLES || exit 0
 
-if [ -e /etc/default/firewall ]; then
-	. /etc/default/firewall
-fi
+### SET /PROC VARIABLES
+# Kernel monitoring support
+# More information:
+# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
+# http://www.linuxgazette.com/book/view/1645
+# http://www.spirit.com/Network/net0300.html
+# http://www.symantec.com/connect/articles/linux-firewall-related-proc-entries
+
+# Drop ICMP echo-request messages sent to broadcast or multicast addresses (Prevent Smurf attack)
+echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+
+# Drop source routed packets (Prevent abuse of trust relationships/TCP Wrapper acls)
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+
+# Enable TCP SYN cookie protection from SYN floods
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+
+# Ignore invalid ICMP answers
+echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+
+# Don't accept ICMP redirect messages (Prevent Man-In-The-Middle attacks)
+echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
 
-test "$ENABLED" != "0" || exit 0
+# Don't send ICMP redirect messages
+echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects<% if iptables_ipfrag_high_thresh || iptables_ipfrag_low_thresh || iptables_ipfrag_time %>
+
+# Prevent attack of many fragmented packets<% if iptables_ipfrag_high_thresh %>
+echo <%= iptables_ipfrag_high_thresh %> > /proc/sys/net/ipv4/ipfrag_high_thresh # memory usage in bytes<% end %><% if iptables_ipfrag_low_thresh %>
+echo <%= iptables_ipfrag_low_thresh %> > /proc/sys/net/ipv4/ipfrag_low_thresh # memory usage in bytes<% end %><% if iptables_ipfrag_time %>
+echo <%= iptables_ipfrag_time %> > /proc/sys/net/ipv4/ipfrag_time<% end %><% end %>
+
+# Enable source address spoofing protection
+echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+
+# Log packets with impossible source addresses
+echo 1 > /proc/sys/net/ipv4/conf/all/log_martians	
+
+### FLUSH RULES
+if [ -x $IPTABLES_SAVE ]; then
+	tmpfile="/tmp/.firewall.save.$(date +"%Y%m%d%H%M%S").tmp"
+	# save current firewall FORWARD rules with physdev-in, these are necessary for the functioning of xen
+	$IPTABLES_SAVE -t filter | perl -ne "m/^-A FORWARD/ && m/physdev-in/ && print \"${IPTABLES} \" . \$_" > $tmpfile
+fi
+# flush default chains
+$IPTABLES -F -t nat
+$IPTABLES -F
+# delete all custom chains
+$IPTABLES -X
+# source, re-apply and remove saved rules of above
+if [ -x $IPTABLES_SAVE ]; then
+	. $tmpfile
+	rm -f $tmpfile
+fi
 
-if [ "$DRYRUN" = "YES" ] ; then
-	IPTABLES="echo ${IPTABLES}"
+### SET DEFAULT POLICIES
+if [ "$1" = "stop" ] ; then
+	$IPTABLES --policy INPUT ACCEPT
+	$IPTABLES --policy OUTPUT ACCEPT
+	$IPTABLES --policy FORWARD ACCEPT
+	exit 0
+else
+	$IPTABLES --policy INPUT DROP
+	$IPTABLES --policy OUTPUT ACCEPT
+	$IPTABLES --policy FORWARD ACCEPT
 fi
 
-[ -f /etc/default/rcS ] && . /etc/default/rcS
-. /lib/lsb/init-functions
-
-function flush_rules () {
-	if [ -x $IPTABLES_SAVE ]; then
-		tmpfile="/tmp/.firewall.save.$(date +"%Y%m%d%H%M%S").tmp"
-		# save current firewall FORWARD rules with physdev-in, these are necessary for the functioning of xen
-		$IPTABLES_SAVE -t filter | perl -ne "m/^-A FORWARD/ && m/physdev-in/ && print \"${IPTABLES} \" . \$_" > $tmpfile
-	fi
-	# flush default chains
-	$IPTABLES -F -t nat
-	$IPTABLES -F
-	# delete all custom chains
-	$IPTABLES -X
-	# source, re-apply and remove saved rules of above
-	if [ -x $IPTABLES_SAVE ]; then
-		. $tmpfile
-		rm -f $tmpfile
-	fi
-}
-
-function define_forwards () {
-  for forward in $forwards ; do {
-    proto="$(echo $forward | cut -d ';' -f 2)"
-	localip="$(echo $forward | cut -d '>' -f 1 | cut -d ':' -f 1)"
-    srcport="$(echo $forward | cut -d '>' -f 1 | cut -d ':' -f 2)"
-    destip="$(echo $forward | cut -d ';' -f 1 | cut -d '>' -f '2' | cut -d ':' -f 1)"
-    destport="$(echo $forward | cut -d ';' -f 1 | cut -d '>' -f '2' | cut -d ':' -f 2)"
-	# define forward in the nat chain, redirect to the destination IP and port
-    $IPTABLES -t nat -A PREROUTING -p $proto -d $localip --dport $srcport -j DNAT --to $destip:$destport
-	# allow access to the destination IP and port in the FORWARD chain
-	$IPTABLES -A FORWARD -p $proto -d $destip --dport $destport -j ACCEPT
-  } ; done
-}
-
-function set_default_policies () {
-	$IPTABLES --policy INPUT $1
-	$IPTABLES --policy OUTPUT $2
-	$IPTABLES --policy FORWARD $3
-}
-
-function set_default_rules () {
-	# Allow unlimited traffic on the loopback interface
-	$IPTABLES -A INPUT -i lo -j ACCEPT
-	$IPTABLES -A OUTPUT -o lo -j ACCEPT
-
-	# Previously initiated and accepted exchanges bypass rule checking
-	$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-	# Allow unlimited outbound traffic
-	$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-}
-
-# don't call parse_sources directly! It's called by set_allowed_rules
-function parse_sources () {
-	# parse all sources
-	for sourcedef in $1 ; do {
-		# define targets for each source
-		parse_targets "$2" "-s ${sourcedef}"
-	} ; done
-}
-
-# don't call parse_targets directly! It's called by set_allowed_rules
-function parse_targets () {
-	sourcedef="$2"
-	# parse all targets
-	for targetdef in $1 ; do {
-		# targets should be define as:
-		# protocol[,protocol[,...]][:port[,port[,...]]]
-		protocols="$(echo $targetdef | awk -F ":" '{ print $1; }' | sed 's/,/ /g')"
-		ports="$(echo $targetdef | awk -F ":" '{ print $2; }' | sed 's/,/ /g')"
-		for protocol in ${protocols} ; do {
-			# if no ports are defined, just allow access to the entire protocol (i.e. pptp, vrrp, etc)
-			if [ -z "${ports}" ] ; then
-				$IPTABLES -A INPUT -p ${protocol} ${sourcedef} -m state --state NEW -j ACCEPT ;
-			else
-				# for each defined port, allow access to the defined source or the world (if empty)
-				for port in ${ports} ; do {
-					OPT="--dport"
-					[ "$protocol" = "icmp" ] && OPT="--icmp-type"
-					$IPTABLES -A INPUT -p ${protocol} ${sourcedef} -m state --state NEW $OPT ${port} -j ACCEPT ;
-				} ; done
-			fi
-		} ; done
-	} ; done
-}
-
-function set_allowed_rules () {
-	# all rules should be defined in one space separated variable called allowed
-	for ruledef in ${allowed} ; do {
-		# everything before the @ sign defines the target specification (i.e. IP + port or protocol to allow access to)
-		# targets should be semi colon (;) separated (which are changed to spaces for easy parsing)
-		target="$(echo $ruledef | awk -F "@" '{ print $1; }' | sed 's/;/ /g')"
-		# everything after the @ sign defines the source specification (i.e. IP, etc from where the request is coming)
-		# sources should be comma (,) separated (which are changed to spaces for easy parsing)
-		source="$(echo $ruledef | awk -F "@" '{ print $2; }' | sed 's/,/ /g')"
-		# if there is no source specification (allow entire world), then only define the target
-		if [ -z "${source}" ] ; then
-			parse_targets "$target"
-		else # else define the source first
-			parse_sources "$source" "$target"
-		fi
-	} ; done	
-}
-
-function set_proc_variables () {
-	# Kernel monitoring support
-	# More information:
-	# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
-	# http://www.linuxgazette.com/book/view/1645
-	# http://www.spirit.com/Network/net0300.html
-
-	# Drop ICMP echo-request messages sent to broadcast or multicast addresses
-	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-
-	# Drop source routed packets
-	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
-
-	# Enable TCP SYN cookie protection from SYN floods
-	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-
-	# Don't accept ICMP redirect messages
-	echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
-
-	# Don't send ICMP redirect messages
-	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
-
-	# Enable source address spoofing protection
-	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
-
-	# Log packets with impossible source addresses
-	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians	
-}
-
-function firewall_start () {
-	set_proc_variables
-	flush_rules
-	set_default_policies DROP ACCEPT ACCEPT
-	define_forwards
-	set_default_rules
-	set_allowed_rules	
-}
-
-function firewall_stop () {
-	flush_rules
-	set_default_policies ACCEPT ACCEPT ACCEPT	
-}
-
-case "$1" in
-start)
-	firewall_start
-	;;
-stop)
-	firewall_stop
-	;;
-reload|force-reload)
-	firewall_start
-	;;
-restart)
-	firewall_start
-	;;
-*)
-	echo "Usage: /etc/init.d/firewall {start|stop|reload|restart}"
-	exit 3
-	;;
-esac
+### SET DEFAULT RULES
+# Allow unlimited traffic on the loopback interface
+$IPTABLES -A INPUT -i lo -j ACCEPT
+$IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+# Previously initiated and accepted exchanges bypass rule checking
+$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Allow unlimited outbound traffic
+$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+
+# DROP/REJECT any traffic from known bad IPs
+$IPTABLES -A INPUT -m recent --name droplist --update -j DROP
+$IPTABLES -A INPUT -m recent --name rejectlist --update -j REJECT
+
+### SET RATE LIMITS
+<% iptables_rate_limits.split(/ /).each do |rate_limit|
+	net, rate, action = rate_limit.split(/[@;]/).collect { |x| x.empty? ? nil : x }
+	action ||= "DROP"
+	dest, intfs = net.split(/[\#]/).collect { |x| x.empty? ? nil : x }
+	intfs_array = intfs ? intfs.split(/,/).map { |x| x.gsub(/^/, '-i ') } : [ "" ]
+	protos, ports, states = dest.split(/[:\[]/).collect { |x| x.empty? ? nil : x.gsub(/\]$/, '') }
+	states_opt = states ? "-m state --state #{states}" : ""
+	protos_array = protos.split(/,/)
+	ports_array = ports.split(/,/)
+	hitcount, seconds = rate.gsub(/^\</, '').split(/\//).collect { |x| x.empty? ? nil : x }
+	recent_action = rate =~ /^\</ ? "rcheck" : "update"
+	intfs_array.each do |intf| protos_array.each do |proto| ports_array.each do |port| list_name="#{proto}_#{port}#{intf.gsub(/^ -i/, '')}"
+	%>$IPTABLES -A INPUT <%= intf %> -p <%= proto %> --dport <%= port %> <%= states_opt %> -m recent --name <%= list_name %> --set
+$IPTABLES -A INPUT <%= intf %> -p <%= proto %> --dport <%= port %> <%= states_opt %> -m recent --name <%= list_name %> --<%= recent_action %> --seconds <%= seconds %> --hitcount <%= hitcount %> -j <%= action %>
+<% end ; end ; end ; end %>
+
+### DEFINE FORWARDS
+<% iptables_forwards.split(/ /).each do |forward|
+	dest, fullsrc, protos = forward.split(/[\>;]/).collect { |x| x.empty? ? nil : x }
+	src, intf = fullsrc.split(/[\#]/).collect { |x| x.empty? ? nil : x }
+	opt_intf = intf ? "-i #{intf}" : ""
+	srcip, srcport = src.split(/:/).collect { |x| x.empty? ? nil : x }
+	opt_srcip = srcip ? "-d #{srcip}" : ""
+	opt_srcport = srcport ? "--dport #{srcport}" : ""
+	destip, destport = dest.split(/:/).collect { |x| x.empty? ? nil : x }
+	opt_destip = destip ? "-d #{destip}" : ""
+	opt_destport = destport ? "--dport #{destport}" : ""
+	protos_array = protos.split(/,/).collect { |x| x.empty? ? nil : x }
+	protos_array.each do |proto|
+	%>
+# define forward in the nat chain, redirect to the destination IP and port
+$IPTABLES -t nat -A PREROUTING -p <%= proto %> <%= opt_intf %> <%= opt_srcip %> <%= opt_srcport %> -j DNAT --to <%= destip %>:<%= destport %>
+# allow access to the destination IP and port in the FORWARD chain
+$IPTABLES -A FORWARD -p <%= proto %> <%= opt_intf %> <%= opt_destip %> <%= opt_destport %> -j ACCEPT
+<% end ; end %>
+
+### SET_ALLOWED_RULES / SET_DROP_RULES / SET_REJECT_RULES
+<% {
+	"-j ACCEPT" => iptables_allowed,
+	"-m recent --name droplist --set -j DROP" => iptables_drop,
+	"-m recent --name rejectlist --set -j REJECT" => iptables_reject
+}.each do |action, rulesdef| rulesdef.each do |ruledef|
+	targetdef, sourcedef = ruledef.split(/@/).collect { |x| x.empty? ? nil : x }
+	sourcedefs = sourcedef ?
+		sourcedef.split(/,/).map do |x|
+			src, intf = x.split(/\#/).collect { |x| x.empty? ? nil : x }
+			opt_intf = intf ? "-i #{intf}" : nil
+			["-s #{src}", opt_intf].compact.join(' ')
+		end : [ "" ]
+
+	targetdefs = targetdef ? targetdef.split(/;/).collect { |x| x.empty? ? nil : x }.compact : [ "" ]
+	sourcedefs.each do |src|
+		targetdefs.each do |target|
+			dest, intf = target.split(/[\#]/).collect { |x| x.empty? ? nil : x }
+			opt_intf = intf ? "-i #{intf}" : nil
+			protos = dest.split(/:/)[0].split(/,/)
+			ports = dest.split(/:/)[1]
+			ports_args = ports ? ports.split(/,/) : [ "" ]
+			protos.each do |proto| ports_opt = ports ? (proto == "icmp" ? "--icmp-type" : "--dport") : ""
+				ports.each do |port|
+	%>$IPTABLES -A INPUT -p <%= proto %> <%= opt_intf %> <%= src %> -m state --state NEW <%= ports_opt %> <%= port %> <%= action %>
+<% end ; end ; end ; end ; end ; end %>

data/lib/deprec/templates/passenger/passenger.conf.erb

@@ -5,7 +5,7 @@
 
 	PassengerRoot <%= passenger_install_dir %>
 	PassengerLogLevel <%= passenger_log_level %>
-	PassengerRuby /usr/local/bin/ruby
+	PassengerRuby <%= passenger_ruby %>
 	PassengerUserSwitching <%= passenger_user_switching %>
 	PassengerDefaultUser <%= passenger_default_user %>
 	PassengerMaxPoolSize <%= passenger_max_pool_size %>