netfilter-ruby 4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +2 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +63 -0
- data/Rakefile +5 -0
- data/lib/netfilter.rb +107 -0
- data/lib/netfilter/chain.rb +61 -0
- data/lib/netfilter/eb_tables.rb +18 -0
- data/lib/netfilter/filter.rb +52 -0
- data/lib/netfilter/ip6_tables.rb +5 -0
- data/lib/netfilter/ip_tables.rb +23 -0
- data/lib/netfilter/table.rb +62 -0
- data/lib/netfilter/tool.rb +132 -0
- data/lib/netfilter/version.rb +3 -0
- data/netfilter.gemspec +26 -0
- data/spec/netfilter/eb_tables_spec.rb +209 -0
- data/spec/netfilter/ip_tables_spec.rb +133 -0
- data/spec/netfilter/table_spec.rb +15 -0
- data/spec/netfilter/tool_spec.rb +123 -0
- data/spec/netfilter_spec.rb +82 -0
- data/spec/spec_helper.rb +18 -0
- metadata +143 -0
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
class Netfilter
|
|
2
|
+
class Tool
|
|
3
|
+
attr_accessor :tables, :namespace
|
|
4
|
+
|
|
5
|
+
def self.import(data)
|
|
6
|
+
data = data.symbolize_keys
|
|
7
|
+
new(data[:namespace]).tap do |tool|
|
|
8
|
+
data[:tables].each do |data|
|
|
9
|
+
table = Table.import(tool, data)
|
|
10
|
+
tool.tables[table.name.to_s.downcase] = table
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def self.executable
|
|
16
|
+
name.demodulize.downcase
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def self.execute(command)
|
|
20
|
+
# puts "Executing: #{command}"
|
|
21
|
+
stdout = `#{command} 2>&1`.strip
|
|
22
|
+
status = $?
|
|
23
|
+
if status.exitstatus == 0
|
|
24
|
+
stdout
|
|
25
|
+
else
|
|
26
|
+
raise SystemError, :command => command, :error => stdout
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def self.delete_chain(name)
|
|
31
|
+
commands = []
|
|
32
|
+
parse.each do |table, chains|
|
|
33
|
+
chains.each do |chain, rules|
|
|
34
|
+
rules.each do |rule|
|
|
35
|
+
if rule.match("-j #{name}")
|
|
36
|
+
commands << "--table #{table} --delete #{chain} #{rule}"
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
chains.each do |chain, rules|
|
|
42
|
+
if chain.match(name)
|
|
43
|
+
commands << "--table #{table} --delete-chain #{chain}"
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
commands.each{ |command| execute("#{executable} #{command}") }
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def initialize(namespace = nil)
|
|
51
|
+
self.namespace = namespace
|
|
52
|
+
self.tables = {}
|
|
53
|
+
yield(self) if block_given?
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def table(name, &block)
|
|
57
|
+
key = name.to_s.downcase
|
|
58
|
+
(tables[key] || Table.new(self, name)).tap do |table|
|
|
59
|
+
tables[key] = table
|
|
60
|
+
block.call(table) if block
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
def pp
|
|
65
|
+
tables.values.sort_by(&:name).each do |table|
|
|
66
|
+
puts [table.name]*"\t"
|
|
67
|
+
table.chains.values.sort_by(&:name).each do |chain|
|
|
68
|
+
puts ["", chain.name_as_argument]*"\t"
|
|
69
|
+
chain.filters.each do |filter|
|
|
70
|
+
puts ["", "", filter]*"\t"
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def commands
|
|
77
|
+
[].tap do |commands|
|
|
78
|
+
tables.values.each do |table|
|
|
79
|
+
table.commands.each do |command|
|
|
80
|
+
commands << command.unshift(executable)*" "
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
def up
|
|
87
|
+
@executed_commands = []
|
|
88
|
+
commands.each do |command|
|
|
89
|
+
execute(command)
|
|
90
|
+
@executed_commands << command
|
|
91
|
+
end
|
|
92
|
+
rescue SystemError => e
|
|
93
|
+
rollback
|
|
94
|
+
raise e
|
|
95
|
+
end
|
|
96
|
+
|
|
97
|
+
def down
|
|
98
|
+
@executed_commands = commands
|
|
99
|
+
rollback
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
def export
|
|
103
|
+
{
|
|
104
|
+
:namespace => namespace,
|
|
105
|
+
:tables => tables.values.map{ |table| table.export },
|
|
106
|
+
}
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
def executable
|
|
110
|
+
self.class.executable
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
private
|
|
114
|
+
|
|
115
|
+
def rollback
|
|
116
|
+
@executed_commands.reverse.each do |command|
|
|
117
|
+
command = argument_rename(command, "new-chain", "delete-chain")
|
|
118
|
+
command = argument_rename(command, "append", "delete")
|
|
119
|
+
command = argument_rename(command, "insert", "delete")
|
|
120
|
+
execute(command)
|
|
121
|
+
end
|
|
122
|
+
end
|
|
123
|
+
|
|
124
|
+
def argument_rename(command, old_name, new_name)
|
|
125
|
+
command.gsub(/--#{Regexp.escape(old_name)}(\s|$)/, "--#{new_name}\\1")
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
def execute(command)
|
|
129
|
+
self.class.execute(command)
|
|
130
|
+
end
|
|
131
|
+
end
|
|
132
|
+
end
|
data/netfilter.gemspec
ADDED
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
|
+
require 'netfilter/version'
|
|
5
|
+
|
|
6
|
+
Gem::Specification.new do |gem|
|
|
7
|
+
gem.name = "netfilter-ruby"
|
|
8
|
+
gem.version = Netfilter::VERSION
|
|
9
|
+
gem.authors = ["Netskin GmbH", "Corin Langosch"]
|
|
10
|
+
gem.email = ["info@netskin.com", "info@corinlangosch.com"]
|
|
11
|
+
gem.description = %q{Awesome Netfilter management}
|
|
12
|
+
gem.summary = %q{Awesome Netfilter (iptables & ebtables) management using ruby}
|
|
13
|
+
gem.homepage = "http://github.com/netskin/netfilter-ruby"
|
|
14
|
+
|
|
15
|
+
gem.files = `git ls-files`.split($/)
|
|
16
|
+
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
|
17
|
+
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
|
18
|
+
gem.require_paths = ["lib"]
|
|
19
|
+
|
|
20
|
+
gem.add_dependency "activesupport", ">= 3.0.0"
|
|
21
|
+
|
|
22
|
+
gem.add_development_dependency "rspec", "~> 2.12"
|
|
23
|
+
gem.add_development_dependency "awesome_print"
|
|
24
|
+
gem.add_development_dependency "json"
|
|
25
|
+
gem.add_development_dependency "rake"
|
|
26
|
+
end
|
|
@@ -0,0 +1,209 @@
|
|
|
1
|
+
#encoding: utf-8
|
|
2
|
+
require 'spec_helper'
|
|
3
|
+
describe Netfilter::EbTables do
|
|
4
|
+
describe "Class Methods" do
|
|
5
|
+
describe "parse" do
|
|
6
|
+
it "should not crash when there are no rules" do
|
|
7
|
+
Netfilter::EbTables.stub(:execute).and_return <<EOT
|
|
8
|
+
Bridge table: filter
|
|
9
|
+
|
|
10
|
+
Bridge chain: INPUT, entries: 0, policy: ACCEPT
|
|
11
|
+
|
|
12
|
+
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
|
|
13
|
+
|
|
14
|
+
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
|
|
15
|
+
EOT
|
|
16
|
+
|
|
17
|
+
Netfilter::EbTables.parse.should eq(
|
|
18
|
+
"filter" => {
|
|
19
|
+
"INPUT" => [
|
|
20
|
+
],
|
|
21
|
+
"FORWARD" => [
|
|
22
|
+
],
|
|
23
|
+
"OUTPUT" => [
|
|
24
|
+
],
|
|
25
|
+
},
|
|
26
|
+
)
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it "should properly parse the current system's iptables" do
|
|
30
|
+
Netfilter::EbTables.stub(:execute).and_return <<EOT
|
|
31
|
+
Bridge table: filter
|
|
32
|
+
|
|
33
|
+
Bridge chain: INPUT, entries: 3, policy: ACCEPT
|
|
34
|
+
-i tap15866 -j guest15865-1-o
|
|
35
|
+
-i tap19266 -j guest19265-1-o
|
|
36
|
+
-i tap592992 -j guest592991-1-o
|
|
37
|
+
|
|
38
|
+
Bridge chain: FORWARD, entries: 6, policy: ACCEPT
|
|
39
|
+
-i tap15866 -j guest15865-1-o
|
|
40
|
+
-o tap15866 -j guest15865-1-i
|
|
41
|
+
-i tap19266 -j guest19265-1-o
|
|
42
|
+
-o tap19266 -j guest19265-1-i
|
|
43
|
+
-i tap592992 -j guest592991-1-o
|
|
44
|
+
-o tap592992 -j guest592991-1-i
|
|
45
|
+
|
|
46
|
+
Bridge chain: OUTPUT, entries: 3, policy: ACCEPT
|
|
47
|
+
-o tap15866 -j guest15865-1-i
|
|
48
|
+
-o tap19266 -j guest19265-1-i
|
|
49
|
+
-o tap592992 -j guest592991-1-i
|
|
50
|
+
|
|
51
|
+
Bridge chain: guest15865-1-o, entries: 14, policy: ACCEPT
|
|
52
|
+
-s ! 2:1a:83:13:5d:26 -j DROP
|
|
53
|
+
-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
|
|
54
|
+
-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
|
|
55
|
+
-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
|
|
56
|
+
-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
|
|
57
|
+
-p IPv4 --ip-src 185.14.157.11 -j RETURN
|
|
58
|
+
-p ARP --arp-ip-src 185.14.157.11 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
|
|
59
|
+
-p IPv4 --ip-src 185.14.157.12 -j RETURN
|
|
60
|
+
-p ARP --arp-ip-src 185.14.157.12 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
|
|
61
|
+
-p IPv4 --ip-src 185.14.157.13 -j RETURN
|
|
62
|
+
-p ARP --arp-ip-src 185.14.157.13 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
|
|
63
|
+
-p IPv6 --ip6-src 2a03:b240:101:4f::/ffff:ffff:ffff:ffff:: -j RETURN
|
|
64
|
+
-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
|
|
65
|
+
-j DROP
|
|
66
|
+
|
|
67
|
+
Bridge chain: guest15865-1-i, entries: 8, policy: ACCEPT
|
|
68
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.11 -j RETURN
|
|
69
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.12 -j RETURN
|
|
70
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.13 -j RETURN
|
|
71
|
+
-p ARP --arp-op Request -j DROP
|
|
72
|
+
-d 2:1a:83:13:5d:26 -j RETURN
|
|
73
|
+
-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
|
|
74
|
+
-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
|
|
75
|
+
-j DROP
|
|
76
|
+
|
|
77
|
+
Bridge chain: guest19265-1-o, entries: 10, policy: ACCEPT
|
|
78
|
+
-s ! 2:bd:7f:46:96:e -j DROP
|
|
79
|
+
-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
|
|
80
|
+
-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
|
|
81
|
+
-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
|
|
82
|
+
-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
|
|
83
|
+
-p IPv4 --ip-src 185.14.157.109 -j RETURN
|
|
84
|
+
-p ARP --arp-ip-src 185.14.157.109 --arp-mac-src 2:bd:7f:46:96:e -j RETURN
|
|
85
|
+
-p IPv6 --ip6-src 2a03:b240:101:16::/ffff:ffff:ffff:ffff:: -j RETURN
|
|
86
|
+
-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
|
|
87
|
+
-j DROP
|
|
88
|
+
|
|
89
|
+
Bridge chain: guest19265-1-i, entries: 6, policy: ACCEPT
|
|
90
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.109 -j RETURN
|
|
91
|
+
-p ARP --arp-op Request -j DROP
|
|
92
|
+
-d 2:bd:7f:46:96:e -j RETURN
|
|
93
|
+
-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
|
|
94
|
+
-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
|
|
95
|
+
-j DROP
|
|
96
|
+
|
|
97
|
+
Bridge chain: guest592991-1-o, entries: 10, policy: ACCEPT
|
|
98
|
+
-s ! 2:23:6c:ab:41:c5 -j DROP
|
|
99
|
+
-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
|
|
100
|
+
-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
|
|
101
|
+
-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
|
|
102
|
+
-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
|
|
103
|
+
-p IPv4 --ip-src 185.14.157.123 -j RETURN
|
|
104
|
+
-p ARP --arp-ip-src 185.14.157.123 --arp-mac-src 2:23:6c:ab:41:c5 -j RETURN
|
|
105
|
+
-p IPv6 --ip6-src 2a03:b240:101:14::/ffff:ffff:ffff:ffff:: -j RETURN
|
|
106
|
+
-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
|
|
107
|
+
-j DROP
|
|
108
|
+
|
|
109
|
+
Bridge chain: guest592991-1-i, entries: 6, policy: ACCEPT
|
|
110
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.123 -j RETURN
|
|
111
|
+
-p ARP --arp-op Request -j DROP
|
|
112
|
+
-d 2:23:6c:ab:41:c5 -j RETURN
|
|
113
|
+
-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
|
|
114
|
+
-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
|
|
115
|
+
-j DROP
|
|
116
|
+
EOT
|
|
117
|
+
|
|
118
|
+
Netfilter::EbTables.parse.should eq(
|
|
119
|
+
"filter" => {
|
|
120
|
+
"INPUT" => [
|
|
121
|
+
"-i tap15866 -j guest15865-1-o",
|
|
122
|
+
"-i tap19266 -j guest19265-1-o",
|
|
123
|
+
"-i tap592992 -j guest592991-1-o"
|
|
124
|
+
],
|
|
125
|
+
"FORWARD" => [
|
|
126
|
+
"-i tap15866 -j guest15865-1-o",
|
|
127
|
+
"-o tap15866 -j guest15865-1-i",
|
|
128
|
+
"-i tap19266 -j guest19265-1-o",
|
|
129
|
+
"-o tap19266 -j guest19265-1-i",
|
|
130
|
+
"-i tap592992 -j guest592991-1-o",
|
|
131
|
+
"-o tap592992 -j guest592991-1-i"
|
|
132
|
+
],
|
|
133
|
+
"OUTPUT" => [
|
|
134
|
+
"-o tap15866 -j guest15865-1-i",
|
|
135
|
+
"-o tap19266 -j guest19265-1-i",
|
|
136
|
+
"-o tap592992 -j guest592991-1-i"
|
|
137
|
+
],
|
|
138
|
+
"guest15865-1-o" => [
|
|
139
|
+
"-s ! 2:1a:83:13:5d:26 -j DROP",
|
|
140
|
+
"-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
|
|
141
|
+
"-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
|
|
142
|
+
"-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
|
|
143
|
+
"-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
|
|
144
|
+
"-p IPv4 --ip-src 185.14.157.11 -j RETURN",
|
|
145
|
+
"-p ARP --arp-ip-src 185.14.157.11 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
|
|
146
|
+
"-p IPv4 --ip-src 185.14.157.12 -j RETURN",
|
|
147
|
+
"-p ARP --arp-ip-src 185.14.157.12 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
|
|
148
|
+
"-p IPv4 --ip-src 185.14.157.13 -j RETURN",
|
|
149
|
+
"-p ARP --arp-ip-src 185.14.157.13 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
|
|
150
|
+
"-p IPv6 --ip6-src 2a03:b240:101:4f::/ffff:ffff:ffff:ffff:: -j RETURN",
|
|
151
|
+
"-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
|
|
152
|
+
"-j DROP"
|
|
153
|
+
],
|
|
154
|
+
"guest15865-1-i" => [
|
|
155
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.11 -j RETURN",
|
|
156
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.12 -j RETURN",
|
|
157
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.13 -j RETURN",
|
|
158
|
+
"-p ARP --arp-op Request -j DROP",
|
|
159
|
+
"-d 2:1a:83:13:5d:26 -j RETURN",
|
|
160
|
+
"-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
|
|
161
|
+
"-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
|
|
162
|
+
"-j DROP"
|
|
163
|
+
],
|
|
164
|
+
"guest19265-1-o" => [
|
|
165
|
+
"-s ! 2:bd:7f:46:96:e -j DROP",
|
|
166
|
+
"-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
|
|
167
|
+
"-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
|
|
168
|
+
"-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
|
|
169
|
+
"-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
|
|
170
|
+
"-p IPv4 --ip-src 185.14.157.109 -j RETURN",
|
|
171
|
+
"-p ARP --arp-ip-src 185.14.157.109 --arp-mac-src 2:bd:7f:46:96:e -j RETURN",
|
|
172
|
+
"-p IPv6 --ip6-src 2a03:b240:101:16::/ffff:ffff:ffff:ffff:: -j RETURN",
|
|
173
|
+
"-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
|
|
174
|
+
"-j DROP"
|
|
175
|
+
],
|
|
176
|
+
"guest19265-1-i" => [
|
|
177
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.109 -j RETURN",
|
|
178
|
+
"-p ARP --arp-op Request -j DROP",
|
|
179
|
+
"-d 2:bd:7f:46:96:e -j RETURN",
|
|
180
|
+
"-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
|
|
181
|
+
"-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
|
|
182
|
+
"-j DROP"
|
|
183
|
+
],
|
|
184
|
+
"guest592991-1-o" => [
|
|
185
|
+
"-s ! 2:23:6c:ab:41:c5 -j DROP",
|
|
186
|
+
"-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
|
|
187
|
+
"-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
|
|
188
|
+
"-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
|
|
189
|
+
"-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
|
|
190
|
+
"-p IPv4 --ip-src 185.14.157.123 -j RETURN",
|
|
191
|
+
"-p ARP --arp-ip-src 185.14.157.123 --arp-mac-src 2:23:6c:ab:41:c5 -j RETURN",
|
|
192
|
+
"-p IPv6 --ip6-src 2a03:b240:101:14::/ffff:ffff:ffff:ffff:: -j RETURN",
|
|
193
|
+
"-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
|
|
194
|
+
"-j DROP"
|
|
195
|
+
],
|
|
196
|
+
"guest592991-1-i" => [
|
|
197
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.123 -j RETURN",
|
|
198
|
+
"-p ARP --arp-op Request -j DROP",
|
|
199
|
+
"-d 2:23:6c:ab:41:c5 -j RETURN",
|
|
200
|
+
"-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
|
|
201
|
+
"-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
|
|
202
|
+
"-j DROP"
|
|
203
|
+
],
|
|
204
|
+
},
|
|
205
|
+
)
|
|
206
|
+
end
|
|
207
|
+
end
|
|
208
|
+
end
|
|
209
|
+
end
|
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
#encoding: utf-8
|
|
2
|
+
require 'spec_helper'
|
|
3
|
+
describe Netfilter::IpTables do
|
|
4
|
+
describe "Class Methods" do
|
|
5
|
+
describe "parse" do
|
|
6
|
+
it "should not crash when there are no rules" do
|
|
7
|
+
Netfilter::IpTables.stub(:execute).and_return <<EOT
|
|
8
|
+
# Generated by iptables-save v1.4.12 on Wed Sep 18 22:10:46 2013
|
|
9
|
+
*filter
|
|
10
|
+
:INPUT ACCEPT [482594:85187003]
|
|
11
|
+
:FORWARD ACCEPT [0:0]
|
|
12
|
+
:OUTPUT ACCEPT [481491:61131132]
|
|
13
|
+
COMMIT
|
|
14
|
+
# Completed on Wed Sep 18 22:10:46 2013
|
|
15
|
+
EOT
|
|
16
|
+
|
|
17
|
+
Netfilter::IpTables.parse.should eq(
|
|
18
|
+
"filter" => {
|
|
19
|
+
"INPUT" => [
|
|
20
|
+
],
|
|
21
|
+
"FORWARD" => [
|
|
22
|
+
],
|
|
23
|
+
"OUTPUT" => [
|
|
24
|
+
],
|
|
25
|
+
},
|
|
26
|
+
)
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
|
|
30
|
+
it "should properly parse the current system's iptables" do
|
|
31
|
+
Netfilter::IpTables.stub(:execute).and_return <<EOT
|
|
32
|
+
# Generated by iptables-save v1.4.12 on Wed Sep 18 14:15:43 2013
|
|
33
|
+
*nat
|
|
34
|
+
:PREROUTING ACCEPT [920364:135062514]
|
|
35
|
+
:INPUT ACCEPT [62393:3917616]
|
|
36
|
+
:OUTPUT ACCEPT [59623:4116943]
|
|
37
|
+
:POSTROUTING ACCEPT [640454:41456220]
|
|
38
|
+
-A PREROUTING -d 185.14.157.109/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5921
|
|
39
|
+
-A PREROUTING -d 185.14.157.123/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5923
|
|
40
|
+
COMMIT
|
|
41
|
+
# Completed on Wed Sep 18 14:15:43 2013
|
|
42
|
+
# Generated by iptables-save v1.4.12 on Wed Sep 18 14:15:43 2013
|
|
43
|
+
*filter
|
|
44
|
+
:INPUT DROP [5647:1842222]
|
|
45
|
+
:FORWARD ACCEPT [267259:341060431]
|
|
46
|
+
:OUTPUT ACCEPT [3936250:18401515934]
|
|
47
|
+
:guest15865-1-i - [0:0]
|
|
48
|
+
:guest19265-1-i - [0:0]
|
|
49
|
+
:guest592991-1-i - [0:0]
|
|
50
|
+
-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5920 -j DROP
|
|
51
|
+
-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
|
|
52
|
+
-A INPUT -d 127.0.0.0/8 -i lo -j ACCEPT
|
|
53
|
+
-A INPUT -s 212.224.87.102/32 -p tcp -m tcp --dport 4949 -j ACCEPT
|
|
54
|
+
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
55
|
+
-A INPUT -p icmp -j ACCEPT
|
|
56
|
+
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
57
|
+
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
|
58
|
+
-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5921 -j ACCEPT
|
|
59
|
+
-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5923 -j ACCEPT
|
|
60
|
+
-A FORWARD -m physdev --physdev-out tap15866 --physdev-is-bridged -j guest15865-1-i
|
|
61
|
+
-A FORWARD -m physdev --physdev-out tap19266 --physdev-is-bridged -j guest19265-1-i
|
|
62
|
+
-A FORWARD -m physdev --physdev-out tap592992 --physdev-is-bridged -j guest592991-1-i
|
|
63
|
+
-A guest15865-1-i -j RETURN
|
|
64
|
+
-A guest19265-1-i -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
|
|
65
|
+
-A guest19265-1-i -p tcp -m tcp --dport 80 -j RETURN
|
|
66
|
+
-A guest19265-1-i -p tcp -m tcp --dport 22 -j RETURN
|
|
67
|
+
-A guest19265-1-i -p tcp -m tcp --dport 443 -j RETURN
|
|
68
|
+
-A guest19265-1-i -s 185.14.157.0/24 -p udp -m udp --dport 67 -j RETURN
|
|
69
|
+
-A guest19265-1-i -s 185.14.157.0/24 -p udp -m udp --dport 68 -j RETURN
|
|
70
|
+
-A guest19265-1-i -p tcp -j DROP
|
|
71
|
+
-A guest19265-1-i -p udp -j DROP
|
|
72
|
+
-A guest19265-1-i -j RETURN
|
|
73
|
+
-A guest592991-1-i -j RETURN
|
|
74
|
+
COMMIT
|
|
75
|
+
# Completed on Wed Sep 18 14:15:43 2013
|
|
76
|
+
EOT
|
|
77
|
+
|
|
78
|
+
Netfilter::IpTables.parse.should eq(
|
|
79
|
+
"nat" => {
|
|
80
|
+
"PREROUTING" => [
|
|
81
|
+
"-d 185.14.157.109/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5921",
|
|
82
|
+
"-d 185.14.157.123/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5923"
|
|
83
|
+
],
|
|
84
|
+
"INPUT" => [
|
|
85
|
+
],
|
|
86
|
+
"OUTPUT" => [
|
|
87
|
+
],
|
|
88
|
+
"POSTROUTING" => [
|
|
89
|
+
],
|
|
90
|
+
},
|
|
91
|
+
"filter" => {
|
|
92
|
+
"INPUT" => [
|
|
93
|
+
"-d 10.0.0.8/32 -p tcp -m tcp --dport 5920 -j DROP",
|
|
94
|
+
"-s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT",
|
|
95
|
+
"-d 127.0.0.0/8 -i lo -j ACCEPT",
|
|
96
|
+
"-s 212.224.87.102/32 -p tcp -m tcp --dport 4949 -j ACCEPT",
|
|
97
|
+
"-p tcp -m tcp --dport 22 -j ACCEPT",
|
|
98
|
+
"-p icmp -j ACCEPT",
|
|
99
|
+
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
|
|
100
|
+
"-m conntrack --ctstate INVALID -j DROP",
|
|
101
|
+
"-d 10.0.0.8/32 -p tcp -m tcp --dport 5921 -j ACCEPT",
|
|
102
|
+
"-d 10.0.0.8/32 -p tcp -m tcp --dport 5923 -j ACCEPT"
|
|
103
|
+
],
|
|
104
|
+
"FORWARD" => [
|
|
105
|
+
"-m physdev --physdev-out tap15866 --physdev-is-bridged -j guest15865-1-i",
|
|
106
|
+
"-m physdev --physdev-out tap19266 --physdev-is-bridged -j guest19265-1-i",
|
|
107
|
+
"-m physdev --physdev-out tap592992 --physdev-is-bridged -j guest592991-1-i"
|
|
108
|
+
],
|
|
109
|
+
"OUTPUT" => [
|
|
110
|
+
],
|
|
111
|
+
"guest15865-1-i" => [
|
|
112
|
+
"-j RETURN"
|
|
113
|
+
],
|
|
114
|
+
"guest19265-1-i" => [
|
|
115
|
+
"-m conntrack --ctstate RELATED,ESTABLISHED -j RETURN",
|
|
116
|
+
"-p tcp -m tcp --dport 80 -j RETURN",
|
|
117
|
+
"-p tcp -m tcp --dport 22 -j RETURN",
|
|
118
|
+
"-p tcp -m tcp --dport 443 -j RETURN",
|
|
119
|
+
"-s 185.14.157.0/24 -p udp -m udp --dport 67 -j RETURN",
|
|
120
|
+
"-s 185.14.157.0/24 -p udp -m udp --dport 68 -j RETURN",
|
|
121
|
+
"-p tcp -j DROP",
|
|
122
|
+
"-p udp -j DROP",
|
|
123
|
+
"-j RETURN"
|
|
124
|
+
],
|
|
125
|
+
"guest592991-1-i" => [
|
|
126
|
+
"-j RETURN"
|
|
127
|
+
],
|
|
128
|
+
},
|
|
129
|
+
)
|
|
130
|
+
end
|
|
131
|
+
end
|
|
132
|
+
end
|
|
133
|
+
end
|