netfilter-ruby 4.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +2 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +63 -0
- data/Rakefile +5 -0
- data/lib/netfilter.rb +107 -0
- data/lib/netfilter/chain.rb +61 -0
- data/lib/netfilter/eb_tables.rb +18 -0
- data/lib/netfilter/filter.rb +52 -0
- data/lib/netfilter/ip6_tables.rb +5 -0
- data/lib/netfilter/ip_tables.rb +23 -0
- data/lib/netfilter/table.rb +62 -0
- data/lib/netfilter/tool.rb +132 -0
- data/lib/netfilter/version.rb +3 -0
- data/netfilter.gemspec +26 -0
- data/spec/netfilter/eb_tables_spec.rb +209 -0
- data/spec/netfilter/ip_tables_spec.rb +133 -0
- data/spec/netfilter/table_spec.rb +15 -0
- data/spec/netfilter/tool_spec.rb +123 -0
- data/spec/netfilter_spec.rb +82 -0
- data/spec/spec_helper.rb +18 -0
- metadata +143 -0
@@ -0,0 +1,132 @@
|
|
1
|
+
class Netfilter
|
2
|
+
class Tool
|
3
|
+
attr_accessor :tables, :namespace
|
4
|
+
|
5
|
+
def self.import(data)
|
6
|
+
data = data.symbolize_keys
|
7
|
+
new(data[:namespace]).tap do |tool|
|
8
|
+
data[:tables].each do |data|
|
9
|
+
table = Table.import(tool, data)
|
10
|
+
tool.tables[table.name.to_s.downcase] = table
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
def self.executable
|
16
|
+
name.demodulize.downcase
|
17
|
+
end
|
18
|
+
|
19
|
+
def self.execute(command)
|
20
|
+
# puts "Executing: #{command}"
|
21
|
+
stdout = `#{command} 2>&1`.strip
|
22
|
+
status = $?
|
23
|
+
if status.exitstatus == 0
|
24
|
+
stdout
|
25
|
+
else
|
26
|
+
raise SystemError, :command => command, :error => stdout
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def self.delete_chain(name)
|
31
|
+
commands = []
|
32
|
+
parse.each do |table, chains|
|
33
|
+
chains.each do |chain, rules|
|
34
|
+
rules.each do |rule|
|
35
|
+
if rule.match("-j #{name}")
|
36
|
+
commands << "--table #{table} --delete #{chain} #{rule}"
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
chains.each do |chain, rules|
|
42
|
+
if chain.match(name)
|
43
|
+
commands << "--table #{table} --delete-chain #{chain}"
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
commands.each{ |command| execute("#{executable} #{command}") }
|
48
|
+
end
|
49
|
+
|
50
|
+
def initialize(namespace = nil)
|
51
|
+
self.namespace = namespace
|
52
|
+
self.tables = {}
|
53
|
+
yield(self) if block_given?
|
54
|
+
end
|
55
|
+
|
56
|
+
def table(name, &block)
|
57
|
+
key = name.to_s.downcase
|
58
|
+
(tables[key] || Table.new(self, name)).tap do |table|
|
59
|
+
tables[key] = table
|
60
|
+
block.call(table) if block
|
61
|
+
end
|
62
|
+
end
|
63
|
+
|
64
|
+
def pp
|
65
|
+
tables.values.sort_by(&:name).each do |table|
|
66
|
+
puts [table.name]*"\t"
|
67
|
+
table.chains.values.sort_by(&:name).each do |chain|
|
68
|
+
puts ["", chain.name_as_argument]*"\t"
|
69
|
+
chain.filters.each do |filter|
|
70
|
+
puts ["", "", filter]*"\t"
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
def commands
|
77
|
+
[].tap do |commands|
|
78
|
+
tables.values.each do |table|
|
79
|
+
table.commands.each do |command|
|
80
|
+
commands << command.unshift(executable)*" "
|
81
|
+
end
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
def up
|
87
|
+
@executed_commands = []
|
88
|
+
commands.each do |command|
|
89
|
+
execute(command)
|
90
|
+
@executed_commands << command
|
91
|
+
end
|
92
|
+
rescue SystemError => e
|
93
|
+
rollback
|
94
|
+
raise e
|
95
|
+
end
|
96
|
+
|
97
|
+
def down
|
98
|
+
@executed_commands = commands
|
99
|
+
rollback
|
100
|
+
end
|
101
|
+
|
102
|
+
def export
|
103
|
+
{
|
104
|
+
:namespace => namespace,
|
105
|
+
:tables => tables.values.map{ |table| table.export },
|
106
|
+
}
|
107
|
+
end
|
108
|
+
|
109
|
+
def executable
|
110
|
+
self.class.executable
|
111
|
+
end
|
112
|
+
|
113
|
+
private
|
114
|
+
|
115
|
+
def rollback
|
116
|
+
@executed_commands.reverse.each do |command|
|
117
|
+
command = argument_rename(command, "new-chain", "delete-chain")
|
118
|
+
command = argument_rename(command, "append", "delete")
|
119
|
+
command = argument_rename(command, "insert", "delete")
|
120
|
+
execute(command)
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
def argument_rename(command, old_name, new_name)
|
125
|
+
command.gsub(/--#{Regexp.escape(old_name)}(\s|$)/, "--#{new_name}\\1")
|
126
|
+
end
|
127
|
+
|
128
|
+
def execute(command)
|
129
|
+
self.class.execute(command)
|
130
|
+
end
|
131
|
+
end
|
132
|
+
end
|
data/netfilter.gemspec
ADDED
@@ -0,0 +1,26 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'netfilter/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |gem|
|
7
|
+
gem.name = "netfilter-ruby"
|
8
|
+
gem.version = Netfilter::VERSION
|
9
|
+
gem.authors = ["Netskin GmbH", "Corin Langosch"]
|
10
|
+
gem.email = ["info@netskin.com", "info@corinlangosch.com"]
|
11
|
+
gem.description = %q{Awesome Netfilter management}
|
12
|
+
gem.summary = %q{Awesome Netfilter (iptables & ebtables) management using ruby}
|
13
|
+
gem.homepage = "http://github.com/netskin/netfilter-ruby"
|
14
|
+
|
15
|
+
gem.files = `git ls-files`.split($/)
|
16
|
+
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
17
|
+
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
18
|
+
gem.require_paths = ["lib"]
|
19
|
+
|
20
|
+
gem.add_dependency "activesupport", ">= 3.0.0"
|
21
|
+
|
22
|
+
gem.add_development_dependency "rspec", "~> 2.12"
|
23
|
+
gem.add_development_dependency "awesome_print"
|
24
|
+
gem.add_development_dependency "json"
|
25
|
+
gem.add_development_dependency "rake"
|
26
|
+
end
|
@@ -0,0 +1,209 @@
|
|
1
|
+
#encoding: utf-8
|
2
|
+
require 'spec_helper'
|
3
|
+
describe Netfilter::EbTables do
|
4
|
+
describe "Class Methods" do
|
5
|
+
describe "parse" do
|
6
|
+
it "should not crash when there are no rules" do
|
7
|
+
Netfilter::EbTables.stub(:execute).and_return <<EOT
|
8
|
+
Bridge table: filter
|
9
|
+
|
10
|
+
Bridge chain: INPUT, entries: 0, policy: ACCEPT
|
11
|
+
|
12
|
+
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
|
13
|
+
|
14
|
+
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
|
15
|
+
EOT
|
16
|
+
|
17
|
+
Netfilter::EbTables.parse.should eq(
|
18
|
+
"filter" => {
|
19
|
+
"INPUT" => [
|
20
|
+
],
|
21
|
+
"FORWARD" => [
|
22
|
+
],
|
23
|
+
"OUTPUT" => [
|
24
|
+
],
|
25
|
+
},
|
26
|
+
)
|
27
|
+
end
|
28
|
+
|
29
|
+
it "should properly parse the current system's iptables" do
|
30
|
+
Netfilter::EbTables.stub(:execute).and_return <<EOT
|
31
|
+
Bridge table: filter
|
32
|
+
|
33
|
+
Bridge chain: INPUT, entries: 3, policy: ACCEPT
|
34
|
+
-i tap15866 -j guest15865-1-o
|
35
|
+
-i tap19266 -j guest19265-1-o
|
36
|
+
-i tap592992 -j guest592991-1-o
|
37
|
+
|
38
|
+
Bridge chain: FORWARD, entries: 6, policy: ACCEPT
|
39
|
+
-i tap15866 -j guest15865-1-o
|
40
|
+
-o tap15866 -j guest15865-1-i
|
41
|
+
-i tap19266 -j guest19265-1-o
|
42
|
+
-o tap19266 -j guest19265-1-i
|
43
|
+
-i tap592992 -j guest592991-1-o
|
44
|
+
-o tap592992 -j guest592991-1-i
|
45
|
+
|
46
|
+
Bridge chain: OUTPUT, entries: 3, policy: ACCEPT
|
47
|
+
-o tap15866 -j guest15865-1-i
|
48
|
+
-o tap19266 -j guest19265-1-i
|
49
|
+
-o tap592992 -j guest592991-1-i
|
50
|
+
|
51
|
+
Bridge chain: guest15865-1-o, entries: 14, policy: ACCEPT
|
52
|
+
-s ! 2:1a:83:13:5d:26 -j DROP
|
53
|
+
-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
|
54
|
+
-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
|
55
|
+
-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
|
56
|
+
-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
|
57
|
+
-p IPv4 --ip-src 185.14.157.11 -j RETURN
|
58
|
+
-p ARP --arp-ip-src 185.14.157.11 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
|
59
|
+
-p IPv4 --ip-src 185.14.157.12 -j RETURN
|
60
|
+
-p ARP --arp-ip-src 185.14.157.12 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
|
61
|
+
-p IPv4 --ip-src 185.14.157.13 -j RETURN
|
62
|
+
-p ARP --arp-ip-src 185.14.157.13 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
|
63
|
+
-p IPv6 --ip6-src 2a03:b240:101:4f::/ffff:ffff:ffff:ffff:: -j RETURN
|
64
|
+
-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
|
65
|
+
-j DROP
|
66
|
+
|
67
|
+
Bridge chain: guest15865-1-i, entries: 8, policy: ACCEPT
|
68
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.11 -j RETURN
|
69
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.12 -j RETURN
|
70
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.13 -j RETURN
|
71
|
+
-p ARP --arp-op Request -j DROP
|
72
|
+
-d 2:1a:83:13:5d:26 -j RETURN
|
73
|
+
-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
|
74
|
+
-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
|
75
|
+
-j DROP
|
76
|
+
|
77
|
+
Bridge chain: guest19265-1-o, entries: 10, policy: ACCEPT
|
78
|
+
-s ! 2:bd:7f:46:96:e -j DROP
|
79
|
+
-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
|
80
|
+
-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
|
81
|
+
-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
|
82
|
+
-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
|
83
|
+
-p IPv4 --ip-src 185.14.157.109 -j RETURN
|
84
|
+
-p ARP --arp-ip-src 185.14.157.109 --arp-mac-src 2:bd:7f:46:96:e -j RETURN
|
85
|
+
-p IPv6 --ip6-src 2a03:b240:101:16::/ffff:ffff:ffff:ffff:: -j RETURN
|
86
|
+
-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
|
87
|
+
-j DROP
|
88
|
+
|
89
|
+
Bridge chain: guest19265-1-i, entries: 6, policy: ACCEPT
|
90
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.109 -j RETURN
|
91
|
+
-p ARP --arp-op Request -j DROP
|
92
|
+
-d 2:bd:7f:46:96:e -j RETURN
|
93
|
+
-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
|
94
|
+
-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
|
95
|
+
-j DROP
|
96
|
+
|
97
|
+
Bridge chain: guest592991-1-o, entries: 10, policy: ACCEPT
|
98
|
+
-s ! 2:23:6c:ab:41:c5 -j DROP
|
99
|
+
-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
|
100
|
+
-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
|
101
|
+
-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
|
102
|
+
-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
|
103
|
+
-p IPv4 --ip-src 185.14.157.123 -j RETURN
|
104
|
+
-p ARP --arp-ip-src 185.14.157.123 --arp-mac-src 2:23:6c:ab:41:c5 -j RETURN
|
105
|
+
-p IPv6 --ip6-src 2a03:b240:101:14::/ffff:ffff:ffff:ffff:: -j RETURN
|
106
|
+
-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
|
107
|
+
-j DROP
|
108
|
+
|
109
|
+
Bridge chain: guest592991-1-i, entries: 6, policy: ACCEPT
|
110
|
+
-p ARP --arp-op Request --arp-ip-dst 185.14.157.123 -j RETURN
|
111
|
+
-p ARP --arp-op Request -j DROP
|
112
|
+
-d 2:23:6c:ab:41:c5 -j RETURN
|
113
|
+
-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
|
114
|
+
-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
|
115
|
+
-j DROP
|
116
|
+
EOT
|
117
|
+
|
118
|
+
Netfilter::EbTables.parse.should eq(
|
119
|
+
"filter" => {
|
120
|
+
"INPUT" => [
|
121
|
+
"-i tap15866 -j guest15865-1-o",
|
122
|
+
"-i tap19266 -j guest19265-1-o",
|
123
|
+
"-i tap592992 -j guest592991-1-o"
|
124
|
+
],
|
125
|
+
"FORWARD" => [
|
126
|
+
"-i tap15866 -j guest15865-1-o",
|
127
|
+
"-o tap15866 -j guest15865-1-i",
|
128
|
+
"-i tap19266 -j guest19265-1-o",
|
129
|
+
"-o tap19266 -j guest19265-1-i",
|
130
|
+
"-i tap592992 -j guest592991-1-o",
|
131
|
+
"-o tap592992 -j guest592991-1-i"
|
132
|
+
],
|
133
|
+
"OUTPUT" => [
|
134
|
+
"-o tap15866 -j guest15865-1-i",
|
135
|
+
"-o tap19266 -j guest19265-1-i",
|
136
|
+
"-o tap592992 -j guest592991-1-i"
|
137
|
+
],
|
138
|
+
"guest15865-1-o" => [
|
139
|
+
"-s ! 2:1a:83:13:5d:26 -j DROP",
|
140
|
+
"-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
|
141
|
+
"-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
|
142
|
+
"-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
|
143
|
+
"-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
|
144
|
+
"-p IPv4 --ip-src 185.14.157.11 -j RETURN",
|
145
|
+
"-p ARP --arp-ip-src 185.14.157.11 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
|
146
|
+
"-p IPv4 --ip-src 185.14.157.12 -j RETURN",
|
147
|
+
"-p ARP --arp-ip-src 185.14.157.12 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
|
148
|
+
"-p IPv4 --ip-src 185.14.157.13 -j RETURN",
|
149
|
+
"-p ARP --arp-ip-src 185.14.157.13 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
|
150
|
+
"-p IPv6 --ip6-src 2a03:b240:101:4f::/ffff:ffff:ffff:ffff:: -j RETURN",
|
151
|
+
"-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
|
152
|
+
"-j DROP"
|
153
|
+
],
|
154
|
+
"guest15865-1-i" => [
|
155
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.11 -j RETURN",
|
156
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.12 -j RETURN",
|
157
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.13 -j RETURN",
|
158
|
+
"-p ARP --arp-op Request -j DROP",
|
159
|
+
"-d 2:1a:83:13:5d:26 -j RETURN",
|
160
|
+
"-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
|
161
|
+
"-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
|
162
|
+
"-j DROP"
|
163
|
+
],
|
164
|
+
"guest19265-1-o" => [
|
165
|
+
"-s ! 2:bd:7f:46:96:e -j DROP",
|
166
|
+
"-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
|
167
|
+
"-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
|
168
|
+
"-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
|
169
|
+
"-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
|
170
|
+
"-p IPv4 --ip-src 185.14.157.109 -j RETURN",
|
171
|
+
"-p ARP --arp-ip-src 185.14.157.109 --arp-mac-src 2:bd:7f:46:96:e -j RETURN",
|
172
|
+
"-p IPv6 --ip6-src 2a03:b240:101:16::/ffff:ffff:ffff:ffff:: -j RETURN",
|
173
|
+
"-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
|
174
|
+
"-j DROP"
|
175
|
+
],
|
176
|
+
"guest19265-1-i" => [
|
177
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.109 -j RETURN",
|
178
|
+
"-p ARP --arp-op Request -j DROP",
|
179
|
+
"-d 2:bd:7f:46:96:e -j RETURN",
|
180
|
+
"-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
|
181
|
+
"-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
|
182
|
+
"-j DROP"
|
183
|
+
],
|
184
|
+
"guest592991-1-o" => [
|
185
|
+
"-s ! 2:23:6c:ab:41:c5 -j DROP",
|
186
|
+
"-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
|
187
|
+
"-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
|
188
|
+
"-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
|
189
|
+
"-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
|
190
|
+
"-p IPv4 --ip-src 185.14.157.123 -j RETURN",
|
191
|
+
"-p ARP --arp-ip-src 185.14.157.123 --arp-mac-src 2:23:6c:ab:41:c5 -j RETURN",
|
192
|
+
"-p IPv6 --ip6-src 2a03:b240:101:14::/ffff:ffff:ffff:ffff:: -j RETURN",
|
193
|
+
"-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
|
194
|
+
"-j DROP"
|
195
|
+
],
|
196
|
+
"guest592991-1-i" => [
|
197
|
+
"-p ARP --arp-op Request --arp-ip-dst 185.14.157.123 -j RETURN",
|
198
|
+
"-p ARP --arp-op Request -j DROP",
|
199
|
+
"-d 2:23:6c:ab:41:c5 -j RETURN",
|
200
|
+
"-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
|
201
|
+
"-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
|
202
|
+
"-j DROP"
|
203
|
+
],
|
204
|
+
},
|
205
|
+
)
|
206
|
+
end
|
207
|
+
end
|
208
|
+
end
|
209
|
+
end
|
@@ -0,0 +1,133 @@
|
|
1
|
+
#encoding: utf-8
|
2
|
+
require 'spec_helper'
|
3
|
+
describe Netfilter::IpTables do
|
4
|
+
describe "Class Methods" do
|
5
|
+
describe "parse" do
|
6
|
+
it "should not crash when there are no rules" do
|
7
|
+
Netfilter::IpTables.stub(:execute).and_return <<EOT
|
8
|
+
# Generated by iptables-save v1.4.12 on Wed Sep 18 22:10:46 2013
|
9
|
+
*filter
|
10
|
+
:INPUT ACCEPT [482594:85187003]
|
11
|
+
:FORWARD ACCEPT [0:0]
|
12
|
+
:OUTPUT ACCEPT [481491:61131132]
|
13
|
+
COMMIT
|
14
|
+
# Completed on Wed Sep 18 22:10:46 2013
|
15
|
+
EOT
|
16
|
+
|
17
|
+
Netfilter::IpTables.parse.should eq(
|
18
|
+
"filter" => {
|
19
|
+
"INPUT" => [
|
20
|
+
],
|
21
|
+
"FORWARD" => [
|
22
|
+
],
|
23
|
+
"OUTPUT" => [
|
24
|
+
],
|
25
|
+
},
|
26
|
+
)
|
27
|
+
end
|
28
|
+
|
29
|
+
|
30
|
+
it "should properly parse the current system's iptables" do
|
31
|
+
Netfilter::IpTables.stub(:execute).and_return <<EOT
|
32
|
+
# Generated by iptables-save v1.4.12 on Wed Sep 18 14:15:43 2013
|
33
|
+
*nat
|
34
|
+
:PREROUTING ACCEPT [920364:135062514]
|
35
|
+
:INPUT ACCEPT [62393:3917616]
|
36
|
+
:OUTPUT ACCEPT [59623:4116943]
|
37
|
+
:POSTROUTING ACCEPT [640454:41456220]
|
38
|
+
-A PREROUTING -d 185.14.157.109/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5921
|
39
|
+
-A PREROUTING -d 185.14.157.123/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5923
|
40
|
+
COMMIT
|
41
|
+
# Completed on Wed Sep 18 14:15:43 2013
|
42
|
+
# Generated by iptables-save v1.4.12 on Wed Sep 18 14:15:43 2013
|
43
|
+
*filter
|
44
|
+
:INPUT DROP [5647:1842222]
|
45
|
+
:FORWARD ACCEPT [267259:341060431]
|
46
|
+
:OUTPUT ACCEPT [3936250:18401515934]
|
47
|
+
:guest15865-1-i - [0:0]
|
48
|
+
:guest19265-1-i - [0:0]
|
49
|
+
:guest592991-1-i - [0:0]
|
50
|
+
-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5920 -j DROP
|
51
|
+
-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
|
52
|
+
-A INPUT -d 127.0.0.0/8 -i lo -j ACCEPT
|
53
|
+
-A INPUT -s 212.224.87.102/32 -p tcp -m tcp --dport 4949 -j ACCEPT
|
54
|
+
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
55
|
+
-A INPUT -p icmp -j ACCEPT
|
56
|
+
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
57
|
+
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
58
|
+
-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5921 -j ACCEPT
|
59
|
+
-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5923 -j ACCEPT
|
60
|
+
-A FORWARD -m physdev --physdev-out tap15866 --physdev-is-bridged -j guest15865-1-i
|
61
|
+
-A FORWARD -m physdev --physdev-out tap19266 --physdev-is-bridged -j guest19265-1-i
|
62
|
+
-A FORWARD -m physdev --physdev-out tap592992 --physdev-is-bridged -j guest592991-1-i
|
63
|
+
-A guest15865-1-i -j RETURN
|
64
|
+
-A guest19265-1-i -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
|
65
|
+
-A guest19265-1-i -p tcp -m tcp --dport 80 -j RETURN
|
66
|
+
-A guest19265-1-i -p tcp -m tcp --dport 22 -j RETURN
|
67
|
+
-A guest19265-1-i -p tcp -m tcp --dport 443 -j RETURN
|
68
|
+
-A guest19265-1-i -s 185.14.157.0/24 -p udp -m udp --dport 67 -j RETURN
|
69
|
+
-A guest19265-1-i -s 185.14.157.0/24 -p udp -m udp --dport 68 -j RETURN
|
70
|
+
-A guest19265-1-i -p tcp -j DROP
|
71
|
+
-A guest19265-1-i -p udp -j DROP
|
72
|
+
-A guest19265-1-i -j RETURN
|
73
|
+
-A guest592991-1-i -j RETURN
|
74
|
+
COMMIT
|
75
|
+
# Completed on Wed Sep 18 14:15:43 2013
|
76
|
+
EOT
|
77
|
+
|
78
|
+
Netfilter::IpTables.parse.should eq(
|
79
|
+
"nat" => {
|
80
|
+
"PREROUTING" => [
|
81
|
+
"-d 185.14.157.109/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5921",
|
82
|
+
"-d 185.14.157.123/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5923"
|
83
|
+
],
|
84
|
+
"INPUT" => [
|
85
|
+
],
|
86
|
+
"OUTPUT" => [
|
87
|
+
],
|
88
|
+
"POSTROUTING" => [
|
89
|
+
],
|
90
|
+
},
|
91
|
+
"filter" => {
|
92
|
+
"INPUT" => [
|
93
|
+
"-d 10.0.0.8/32 -p tcp -m tcp --dport 5920 -j DROP",
|
94
|
+
"-s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT",
|
95
|
+
"-d 127.0.0.0/8 -i lo -j ACCEPT",
|
96
|
+
"-s 212.224.87.102/32 -p tcp -m tcp --dport 4949 -j ACCEPT",
|
97
|
+
"-p tcp -m tcp --dport 22 -j ACCEPT",
|
98
|
+
"-p icmp -j ACCEPT",
|
99
|
+
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
|
100
|
+
"-m conntrack --ctstate INVALID -j DROP",
|
101
|
+
"-d 10.0.0.8/32 -p tcp -m tcp --dport 5921 -j ACCEPT",
|
102
|
+
"-d 10.0.0.8/32 -p tcp -m tcp --dport 5923 -j ACCEPT"
|
103
|
+
],
|
104
|
+
"FORWARD" => [
|
105
|
+
"-m physdev --physdev-out tap15866 --physdev-is-bridged -j guest15865-1-i",
|
106
|
+
"-m physdev --physdev-out tap19266 --physdev-is-bridged -j guest19265-1-i",
|
107
|
+
"-m physdev --physdev-out tap592992 --physdev-is-bridged -j guest592991-1-i"
|
108
|
+
],
|
109
|
+
"OUTPUT" => [
|
110
|
+
],
|
111
|
+
"guest15865-1-i" => [
|
112
|
+
"-j RETURN"
|
113
|
+
],
|
114
|
+
"guest19265-1-i" => [
|
115
|
+
"-m conntrack --ctstate RELATED,ESTABLISHED -j RETURN",
|
116
|
+
"-p tcp -m tcp --dport 80 -j RETURN",
|
117
|
+
"-p tcp -m tcp --dport 22 -j RETURN",
|
118
|
+
"-p tcp -m tcp --dport 443 -j RETURN",
|
119
|
+
"-s 185.14.157.0/24 -p udp -m udp --dport 67 -j RETURN",
|
120
|
+
"-s 185.14.157.0/24 -p udp -m udp --dport 68 -j RETURN",
|
121
|
+
"-p tcp -j DROP",
|
122
|
+
"-p udp -j DROP",
|
123
|
+
"-j RETURN"
|
124
|
+
],
|
125
|
+
"guest592991-1-i" => [
|
126
|
+
"-j RETURN"
|
127
|
+
],
|
128
|
+
},
|
129
|
+
)
|
130
|
+
end
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|