ript 0.8.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +6 -0
- data/.rbenv-version +1 -0
- data/AUTHORS.md +16 -0
- data/CHANGELOG.md +93 -0
- data/Gemfile +4 -0
- data/Gemfile.lock +62 -0
- data/LICENCE +19 -0
- data/README.md +564 -0
- data/Rakefile +136 -0
- data/bin/rbenv-sudo +18 -0
- data/bin/ript +207 -0
- data/dist/init.d +48 -0
- data/examples/accept-multiple-from-and-to.rb +16 -0
- data/examples/accept-with-a-list-of-ports.rb +13 -0
- data/examples/accept-with-specific-port-and-interface.rb +14 -0
- data/examples/accept-without-specific-from.rb +11 -0
- data/examples/accept.rb +12 -0
- data/examples/basic.rb +4 -0
- data/examples/dash-in-partition-name.rb +2 -0
- data/examples/drop.rb +11 -0
- data/examples/duplicate-partition-names/foobar1.rb +2 -0
- data/examples/duplicate-partition-names/foobar2.rb +2 -0
- data/examples/errors-undefined-method-with-no-match.rb +12 -0
- data/examples/errors-undefined-method.rb +12 -0
- data/examples/forward-dnat-with-different-destination-port.rb +16 -0
- data/examples/forward-dnat-with-explicit-from-and-port-mappings.rb +11 -0
- data/examples/forward-dnat-with-explicit-from-and-ports.rb +11 -0
- data/examples/forward-dnat-with-explicit-from.rb +11 -0
- data/examples/forward-dnat-with-explicit-protocols.rb +15 -0
- data/examples/forward-dnat-with-multiple-froms.rb +13 -0
- data/examples/forward-dnat-with-multiple-ports.rb +10 -0
- data/examples/forward-dnat-with-multiple-sources.rb +15 -0
- data/examples/forward-dnat.rb +16 -0
- data/examples/forward-snat-with-explicit-from.rb +16 -0
- data/examples/forward-snat-with-multiple-sources.rb +13 -0
- data/examples/forward-snat.rb +9 -0
- data/examples/log-and-accept.rb +12 -0
- data/examples/log-and-drop.rb +11 -0
- data/examples/log-dnat.rb +10 -0
- data/examples/log-snat.rb +13 -0
- data/examples/log.rb +11 -0
- data/examples/missing-address-definition-in-destination.rb +15 -0
- data/examples/missing-address-definition-in-from.rb +15 -0
- data/examples/multiple-partitions-in-this-file.rb +14 -0
- data/examples/multiple-partitions/bar.rb +11 -0
- data/examples/multiple-partitions/foo.rb +17 -0
- data/examples/partition-name-exactly-20-characters.rb +2 -0
- data/examples/partition-name-longer-than-20-characters.rb +2 -0
- data/examples/postclean.rb +10 -0
- data/examples/preclean.rb +10 -0
- data/examples/raw-with-chain-deletion.rb +9 -0
- data/examples/raw-with-flush.rb +9 -0
- data/examples/raw.rb +50 -0
- data/examples/reject.rb +11 -0
- data/examples/space-in-partition-name.rb +2 -0
- data/features/cli.feature +115 -0
- data/features/dsl/errors.feature +107 -0
- data/features/dsl/filter.feature +187 -0
- data/features/dsl/logging.feature +114 -0
- data/features/dsl/nat.feature +271 -0
- data/features/dsl/raw.feature +28 -0
- data/features/setup.feature +58 -0
- data/features/step_definitions/cli_steps.rb +15 -0
- data/features/step_definitions/example_steps.rb +44 -0
- data/features/support/env.rb +25 -0
- data/lib/ript/bootstrap.rb +20 -0
- data/lib/ript/dsl.rb +14 -0
- data/lib/ript/dsl/primitives.rb +7 -0
- data/lib/ript/dsl/primitives/common.rb +78 -0
- data/lib/ript/dsl/primitives/filter.rb +145 -0
- data/lib/ript/dsl/primitives/nat.rb +206 -0
- data/lib/ript/dsl/primitives/raw.rb +45 -0
- data/lib/ript/exceptions.rb +2 -0
- data/lib/ript/partition.rb +162 -0
- data/lib/ript/patches.rb +10 -0
- data/lib/ript/rule.rb +70 -0
- data/lib/ript/version.rb +3 -0
- data/ript.gemspec +33 -0
- metadata +232 -0
|
@@ -0,0 +1,114 @@
|
|
|
1
|
+
Feature: Logging
|
|
2
|
+
When debugging complex problems
|
|
3
|
+
A user may want to know
|
|
4
|
+
If certain rules are being used
|
|
5
|
+
|
|
6
|
+
@log @filter @accept
|
|
7
|
+
Scenario: Log and accept
|
|
8
|
+
When I run `ript rules generate examples/log-and-accept.rb`
|
|
9
|
+
Then the output should match:
|
|
10
|
+
"""
|
|
11
|
+
iptables --table nat --new-chain keepalived-d\w+
|
|
12
|
+
iptables --table nat --new-chain keepalived-s\w+
|
|
13
|
+
iptables --table filter --new-chain keepalived-a\w+
|
|
14
|
+
"""
|
|
15
|
+
Then the output should match:
|
|
16
|
+
"""
|
|
17
|
+
iptables --table filter --insert partition-a --destination 224.0.0.0/8 --jump keepalived-a\w+
|
|
18
|
+
iptables --table filter --insert partition-a --destination 224.0.0.0/8 --jump LOG
|
|
19
|
+
"""
|
|
20
|
+
Then the output should match:
|
|
21
|
+
"""
|
|
22
|
+
iptables --table filter --append keepalived-a\w+ --protocol vrrp --destination 224.0.0.0/8 --source 172.16.0.216 --jump LOG
|
|
23
|
+
iptables --table filter --append keepalived-a\w+ --protocol vrrp --destination 224.0.0.0/8 --source 172.16.0.216 --jump ACCEPT
|
|
24
|
+
iptables --table filter --append keepalived-a\w+ --protocol vrrp --destination 224.0.0.0/8 --source 172.16.0.217 --jump LOG
|
|
25
|
+
iptables --table filter --append keepalived-a\w+ --protocol vrrp --destination 224.0.0.0/8 --source 172.16.0.217 --jump ACCEPT
|
|
26
|
+
"""
|
|
27
|
+
Then the created chain name in all tables should match
|
|
28
|
+
|
|
29
|
+
@log @filter @drop
|
|
30
|
+
Scenario: Log and drop
|
|
31
|
+
When I run `ript rules generate examples/log-and-drop.rb`
|
|
32
|
+
Then the output should match:
|
|
33
|
+
"""
|
|
34
|
+
iptables --table nat --new-chain bar-d\w+
|
|
35
|
+
iptables --table nat --new-chain bar-s\w+
|
|
36
|
+
iptables --table filter --new-chain bar-a\w+
|
|
37
|
+
"""
|
|
38
|
+
Then the output should match:
|
|
39
|
+
"""
|
|
40
|
+
iptables --table filter --insert partition-a --destination 172.23.0.95 --jump bar-a\w+
|
|
41
|
+
iptables --table filter --insert partition-a --destination 172.23.0.95 --jump LOG
|
|
42
|
+
"""
|
|
43
|
+
Then the output should match:
|
|
44
|
+
"""
|
|
45
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 172.23.0.95 --source 127.0.0.1 --jump LOG
|
|
46
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 172.23.0.95 --source 127.0.0.1 --jump DROP
|
|
47
|
+
"""
|
|
48
|
+
Then the created chain name in all tables should match
|
|
49
|
+
|
|
50
|
+
@log @nat @dnat
|
|
51
|
+
Scenario: Logging complex DNAT
|
|
52
|
+
When I run `ript rules generate examples/log-dnat.rb`
|
|
53
|
+
Then the output should match:
|
|
54
|
+
"""
|
|
55
|
+
iptables --table nat --new-chain bar-d\w+
|
|
56
|
+
iptables --table nat --new-chain bar-s\w+
|
|
57
|
+
iptables --table filter --new-chain bar-a\w+
|
|
58
|
+
"""
|
|
59
|
+
Then the output should match:
|
|
60
|
+
"""
|
|
61
|
+
iptables --table nat --insert partition-d --destination 172.23.0.95 --jump bar-d\w+
|
|
62
|
+
iptables --table nat --insert partition-d --destination 172.23.0.95 --jump LOG
|
|
63
|
+
"""
|
|
64
|
+
Then the output should match:
|
|
65
|
+
"""
|
|
66
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.95 --dport 80 --jump LOG --to-destination 192.168.19.2
|
|
67
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.95 --dport 80 --jump DNAT --to-destination 192.168.19.2
|
|
68
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.19.2 --dport 80 --jump LOG
|
|
69
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.19.2 --dport 80 --jump ACCEPT
|
|
70
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.95 --dport 22 --jump LOG --to-destination 192.168.19.2
|
|
71
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.95 --dport 22 --jump DNAT --to-destination 192.168.19.2
|
|
72
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.19.2 --dport 22 --jump LOG
|
|
73
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.19.2 --dport 22 --jump ACCEPT
|
|
74
|
+
"""
|
|
75
|
+
Then the created chain name in all tables should match
|
|
76
|
+
|
|
77
|
+
@log @nat @snat
|
|
78
|
+
Scenario: Logging complex SNAT
|
|
79
|
+
When I run `ript rules generate examples/log-snat.rb`
|
|
80
|
+
Then the output should match:
|
|
81
|
+
"""
|
|
82
|
+
iptables --table nat --new-chain bar-d\w+
|
|
83
|
+
iptables --table nat --new-chain bar-s\w+
|
|
84
|
+
iptables --table filter --new-chain bar-a\w+
|
|
85
|
+
"""
|
|
86
|
+
Then the output should match:
|
|
87
|
+
"""
|
|
88
|
+
iptables --table nat --append bar-s\w+ --source 10.33.0.0/24 --jump LOG --to-source 172.23.0.95
|
|
89
|
+
iptables --table nat --append bar-s\w+ --source 10.33.0.0/24 --jump SNAT --to-source 172.23.0.95
|
|
90
|
+
iptables --table filter --append bar-a\w+ --source 10.33.0.0/24 --jump LOG
|
|
91
|
+
iptables --table filter --append bar-a\w+ --source 10.33.0.0/24 --jump ACCEPT
|
|
92
|
+
iptables --table nat --append bar-s\w+ --source 10.44.0.0/24 --jump LOG --to-source 172.23.0.95
|
|
93
|
+
iptables --table nat --append bar-s\w+ --source 10.44.0.0/24 --jump SNAT --to-source 172.23.0.95
|
|
94
|
+
iptables --table filter --append bar-a\w+ --source 10.44.0.0/24 --jump LOG
|
|
95
|
+
iptables --table filter --append bar-a\w+ --source 10.44.0.0/24 --jump ACCEPT
|
|
96
|
+
iptables --table nat --append bar-s\w+ --source 10.55.0.0/24 --jump LOG --to-source 172.23.0.95
|
|
97
|
+
iptables --table nat --append bar-s\w+ --source 10.55.0.0/24 --jump SNAT --to-source 172.23.0.95
|
|
98
|
+
iptables --table filter --append bar-a\w+ --source 10.55.0.0/24 --jump LOG
|
|
99
|
+
iptables --table filter --append bar-a\w+ --source 10.55.0.0/24 --jump ACCEPT
|
|
100
|
+
iptables --table nat --insert partition-s --source 10.33.0.0/24 --jump bar-s\w+
|
|
101
|
+
iptables --table nat --insert partition-s --source 10.33.0.0/24 --jump LOG
|
|
102
|
+
iptables --table nat --insert partition-s --source 10.44.0.0/24 --jump bar-s\w+
|
|
103
|
+
iptables --table nat --insert partition-s --source 10.44.0.0/24 --jump LOG
|
|
104
|
+
iptables --table nat --insert partition-s --source 10.55.0.0/24 --jump bar-s\w+
|
|
105
|
+
iptables --table nat --insert partition-s --source 10.55.0.0/24 --jump LOG
|
|
106
|
+
iptables --table filter --insert partition-a --source 10.33.0.0/24 --jump bar-a\w+
|
|
107
|
+
iptables --table filter --insert partition-a --source 10.33.0.0/24 --jump LOG
|
|
108
|
+
iptables --table filter --insert partition-a --source 10.44.0.0/24 --jump bar-a\w+
|
|
109
|
+
iptables --table filter --insert partition-a --source 10.44.0.0/24 --jump LOG
|
|
110
|
+
iptables --table filter --insert partition-a --source 10.55.0.0/24 --jump bar-a\w+
|
|
111
|
+
iptables --table filter --insert partition-a --source 10.55.0.0/24 --jump LOG
|
|
112
|
+
"""
|
|
113
|
+
Then the created chain name in all tables should match
|
|
114
|
+
|
|
@@ -0,0 +1,271 @@
|
|
|
1
|
+
Feature: Ript DSL
|
|
2
|
+
|
|
3
|
+
Scenario: Basic partition
|
|
4
|
+
When I run `ript rules generate examples/basic.rb`
|
|
5
|
+
Then the output should match:
|
|
6
|
+
"""
|
|
7
|
+
iptables --table nat --new-chain basic-d\w+
|
|
8
|
+
iptables --table nat --new-chain basic-s\w+
|
|
9
|
+
iptables --table filter --new-chain basic-a\w+
|
|
10
|
+
"""
|
|
11
|
+
Then the created chain name in all tables should match
|
|
12
|
+
|
|
13
|
+
@nat @dnat
|
|
14
|
+
Scenario: Basic DNAT forward
|
|
15
|
+
When I run `ript rules generate examples/forward-dnat.rb`
|
|
16
|
+
Then the output should match:
|
|
17
|
+
"""
|
|
18
|
+
iptables --table nat --new-chain bar-d\w+
|
|
19
|
+
iptables --table nat --new-chain bar-s\w+
|
|
20
|
+
iptables --table filter --new-chain bar-a\w+
|
|
21
|
+
"""
|
|
22
|
+
Then the output should match:
|
|
23
|
+
"""
|
|
24
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.95 --dport 80 --jump DNAT --to-destination 192.168.19.2
|
|
25
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.19.2 --dport 80 --jump ACCEPT
|
|
26
|
+
"""
|
|
27
|
+
Then the output should match:
|
|
28
|
+
"""
|
|
29
|
+
iptables --table nat --insert partition-d --destination 172.23.0.95 --jump bar-d\w+
|
|
30
|
+
iptables --table filter --insert partition-a --destination 192.168.19.2 --jump bar-a\w+
|
|
31
|
+
"""
|
|
32
|
+
Then the created chain name in all tables should match
|
|
33
|
+
|
|
34
|
+
@nat @dnat
|
|
35
|
+
Scenario: DNAT forward with multiple ports
|
|
36
|
+
When I run `ript rules generate examples/forward-dnat-with-multiple-ports.rb`
|
|
37
|
+
Then the output should match:
|
|
38
|
+
"""
|
|
39
|
+
iptables --table nat --new-chain bar-d\w+
|
|
40
|
+
iptables --table nat --new-chain bar-s\w+
|
|
41
|
+
iptables --table filter --new-chain bar-a\w+
|
|
42
|
+
"""
|
|
43
|
+
Then the output should match:
|
|
44
|
+
"""
|
|
45
|
+
iptables --table nat --insert partition-d --destination 172.23.0.95 --jump bar-d\w+
|
|
46
|
+
"""
|
|
47
|
+
Then the output should match:
|
|
48
|
+
"""
|
|
49
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.95 --dport 80 --jump DNAT --to-destination 192.168.19.2
|
|
50
|
+
"""
|
|
51
|
+
Then the output should match:
|
|
52
|
+
"""
|
|
53
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.95 --dport 22 --jump DNAT --to-destination 192.168.19.2
|
|
54
|
+
"""
|
|
55
|
+
Then the created chain name in all tables should match
|
|
56
|
+
|
|
57
|
+
@nat @dnat
|
|
58
|
+
Scenario: DNAT forward with source port to different destination port
|
|
59
|
+
When I run `ript rules generate examples/forward-dnat-with-different-destination-port.rb`
|
|
60
|
+
Then the output should match:
|
|
61
|
+
"""
|
|
62
|
+
iptables --table nat --new-chain foo-d\w+
|
|
63
|
+
iptables --table nat --new-chain foo-s\w+
|
|
64
|
+
iptables --table filter --new-chain foo-a\w+
|
|
65
|
+
"""
|
|
66
|
+
Then the output should match:
|
|
67
|
+
"""
|
|
68
|
+
iptables --table nat --insert partition-d --destination 172.23.0.88 --jump foo-d\w+
|
|
69
|
+
"""
|
|
70
|
+
Then the output should match:
|
|
71
|
+
"""
|
|
72
|
+
iptables --table nat --append foo-d\w+ --protocol TCP --destination 172.23.0.88 --dport 22 --jump DNAT --to-destination 192.168.38.1:9876
|
|
73
|
+
"""
|
|
74
|
+
Then the output should match:
|
|
75
|
+
"""
|
|
76
|
+
iptables --table nat --insert partition-d --destination 172.23.0.90 --jump foo-d\w+
|
|
77
|
+
"""
|
|
78
|
+
Then the output should match:
|
|
79
|
+
"""
|
|
80
|
+
iptables --table nat --append foo-d\w+ --protocol TCP --destination 172.23.0.90 --dport 22 --jump DNAT --to-destination 192.168.38.2:9876
|
|
81
|
+
iptables --table filter --append foo-a\w+ --protocol TCP --destination 192.168.38.2 --dport 9876 --jump ACCEPT
|
|
82
|
+
iptables --table nat --append foo-d\w+ --protocol TCP --destination 172.23.0.90 --dport 443 --jump DNAT --to-destination 192.168.38.2:4443
|
|
83
|
+
iptables --table filter --append foo-a\w+ --protocol TCP --destination 192.168.38.2 --dport 4443 --jump ACCEPT
|
|
84
|
+
"""
|
|
85
|
+
Then the created chain name in all tables should match
|
|
86
|
+
|
|
87
|
+
@nat @dnat
|
|
88
|
+
Scenario: DNAT forward for multiple sources
|
|
89
|
+
When I run `ript rules generate examples/forward-dnat-with-multiple-sources.rb`
|
|
90
|
+
Then the output should match:
|
|
91
|
+
"""
|
|
92
|
+
iptables --table nat --new-chain bar-d\w+
|
|
93
|
+
iptables --table nat --new-chain bar-s\w+
|
|
94
|
+
iptables --table filter --new-chain bar-a\w+
|
|
95
|
+
"""
|
|
96
|
+
Then the output should match:
|
|
97
|
+
"""
|
|
98
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.95 --dport 80 --jump DNAT --to-destination 192.168.27.88
|
|
99
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.27.88 --dport 80 --jump ACCEPT
|
|
100
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.96 --dport 80 --jump DNAT --to-destination 192.168.27.88
|
|
101
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --destination 172.23.0.97 --dport 80 --jump DNAT --to-destination 192.168.27.88
|
|
102
|
+
"""
|
|
103
|
+
Then the output should match:
|
|
104
|
+
"""
|
|
105
|
+
iptables --table nat --insert partition-d --destination 172.23.0.95 --jump bar-d\w+
|
|
106
|
+
iptables --table nat --insert partition-d --destination 172.23.0.96 --jump bar-d\w+
|
|
107
|
+
iptables --table nat --insert partition-d --destination 172.23.0.97 --jump bar-d\w+
|
|
108
|
+
iptables --table filter --insert partition-a --destination 192.168.27.88 --jump bar-a\w+
|
|
109
|
+
"""
|
|
110
|
+
Then the created chain name in all tables should match
|
|
111
|
+
|
|
112
|
+
@nat @dnat
|
|
113
|
+
Scenario: DNAT forward with an explicit from
|
|
114
|
+
When I run `ript rules generate examples/forward-dnat-with-explicit-from.rb`
|
|
115
|
+
Then the output should match:
|
|
116
|
+
"""
|
|
117
|
+
iptables --table nat --new-chain bar-d\w+
|
|
118
|
+
iptables --table nat --new-chain bar-s\w+
|
|
119
|
+
iptables --table filter --new-chain bar-a\w+
|
|
120
|
+
"""
|
|
121
|
+
Then the output should match:
|
|
122
|
+
"""
|
|
123
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --source 192.168.23.70/27 --destination 172.23.0.95 --dport 80 --jump DNAT --to-destination 192.168.27.66
|
|
124
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.27.66 --dport 80 --jump ACCEPT
|
|
125
|
+
iptables --table nat --insert partition-d --destination 172.23.0.95 --jump bar-d\w+
|
|
126
|
+
iptables --table filter --insert partition-a --destination 192.168.27.66 --jump bar-a\w+
|
|
127
|
+
"""
|
|
128
|
+
Then the created chain name in all tables should match
|
|
129
|
+
|
|
130
|
+
@nat @dnat
|
|
131
|
+
Scenario: DNAT forward with multiple froms
|
|
132
|
+
When I run `ript rules generate examples/forward-dnat-with-multiple-froms.rb`
|
|
133
|
+
Then the output should match:
|
|
134
|
+
"""
|
|
135
|
+
iptables --table nat --new-chain joeblogsco-d\w+
|
|
136
|
+
iptables --table nat --new-chain joeblogsco-s\w+
|
|
137
|
+
iptables --table filter --new-chain joeblogsco-a\w+
|
|
138
|
+
"""
|
|
139
|
+
Then the output should match:
|
|
140
|
+
"""
|
|
141
|
+
iptables --table nat --append joeblogsco-d\w+ --protocol TCP --source 1.2.3.4 --destination 172.19.10.99 --dport 80 --jump DNAT --to-destination 192.168.27.66
|
|
142
|
+
iptables --table filter --append joeblogsco-a\w+ --protocol TCP --destination 192.168.27.66 --dport 80 --jump ACCEPT
|
|
143
|
+
iptables --table nat --append joeblogsco-d\w+ --protocol TCP --source 4.5.6.7 --destination 172.19.10.99 --dport 80 --jump DNAT --to-destination 192.168.27.66
|
|
144
|
+
iptables --table nat --append joeblogsco-d\w+ --protocol TCP --source 7.8.9.10 --destination 172.19.10.99 --dport 80 --jump DNAT --to-destination 192.168.27.66
|
|
145
|
+
iptables --table nat --insert partition-d --destination 172.19.10.99 --jump joeblogsco-d\w+
|
|
146
|
+
iptables --table filter --insert partition-a --destination 192.168.27.66 --jump joeblogsco-a\w+
|
|
147
|
+
"""
|
|
148
|
+
Then the created chain name in all tables should match
|
|
149
|
+
|
|
150
|
+
@nat @dnat
|
|
151
|
+
Scenario: DNAT forward with an explicit from and ports
|
|
152
|
+
When I run `ript rules generate examples/forward-dnat-with-explicit-from-and-ports.rb`
|
|
153
|
+
Then the output should match:
|
|
154
|
+
"""
|
|
155
|
+
iptables --table nat --new-chain bar-d\w+
|
|
156
|
+
iptables --table nat --new-chain bar-s\w+
|
|
157
|
+
iptables --table filter --new-chain bar-a\w+
|
|
158
|
+
"""
|
|
159
|
+
Then the output should match:
|
|
160
|
+
"""
|
|
161
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --source 192.168.23.70/27 --destination 172.23.0.95 --dport 82 --jump DNAT --to-destination 192.168.27.66
|
|
162
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.27.66 --dport 82 --jump ACCEPT
|
|
163
|
+
iptables --table nat --insert partition-d --destination 172.23.0.95 --jump bar-d\w+
|
|
164
|
+
iptables --table filter --insert partition-a --destination 192.168.27.66 --jump bar-a\w+
|
|
165
|
+
"""
|
|
166
|
+
Then the created chain name in all tables should match
|
|
167
|
+
|
|
168
|
+
@nat @dnat
|
|
169
|
+
Scenario: DNAT forward with an explicit from and port mappings
|
|
170
|
+
When I run `ript rules generate examples/forward-dnat-with-explicit-from-and-port-mappings.rb`
|
|
171
|
+
Then the output should match:
|
|
172
|
+
"""
|
|
173
|
+
iptables --table nat --new-chain bar-d\w+
|
|
174
|
+
iptables --table nat --new-chain bar-s\w+
|
|
175
|
+
iptables --table filter --new-chain bar-a\w+
|
|
176
|
+
"""
|
|
177
|
+
Then the output should match:
|
|
178
|
+
"""
|
|
179
|
+
iptables --table nat --append bar-d\w+ --protocol TCP --source 192.168.23.70/27 --destination 172.23.0.95 --dport 139 --jump DNAT --to-destination 192.168.27.66:2011
|
|
180
|
+
iptables --table filter --append bar-a\w+ --protocol TCP --destination 192.168.27.66 --dport 2011 --jump ACCEPT
|
|
181
|
+
iptables --table nat --insert partition-d --destination 172.23.0.95 --jump bar-d\w+
|
|
182
|
+
iptables --table filter --insert partition-a --destination 192.168.27.66 --jump bar-a\w+
|
|
183
|
+
"""
|
|
184
|
+
Then the created chain name in all tables should match
|
|
185
|
+
|
|
186
|
+
@nat @dnat
|
|
187
|
+
Scenario: DNAT forward with explicit protocols
|
|
188
|
+
When I run `ript rules generate examples/forward-dnat-with-explicit-protocols.rb`
|
|
189
|
+
Then the output should match:
|
|
190
|
+
"""
|
|
191
|
+
iptables --table nat --new-chain cpm-d\w+
|
|
192
|
+
iptables --table nat --new-chain cpm-s\w+
|
|
193
|
+
iptables --table filter --new-chain cpm-a\w+
|
|
194
|
+
"""
|
|
195
|
+
Then the output should match:
|
|
196
|
+
"""
|
|
197
|
+
iptables --table nat --append cpm-d\w+ --protocol udp --source 172.19.4.55 --destination 172.18.88.33 --dport 53 --jump DNAT --to-destination 192.168.0.133
|
|
198
|
+
iptables --table filter --append cpm-a\w+ --protocol udp --destination 192.168.0.133 --dport 53 --jump ACCEPT
|
|
199
|
+
iptables --table nat --append cpm-d\w+ --protocol tcp --source 172.19.4.55 --destination 172.18.88.33 --dport 53 --jump DNAT --to-destination 192.168.0.133
|
|
200
|
+
iptables --table filter --append cpm-a\w+ --protocol tcp --destination 192.168.0.133 --dport 53 --jump ACCEPT
|
|
201
|
+
iptables --table nat --insert partition-d --destination 172.18.88.33 --jump cpm-d\w+
|
|
202
|
+
iptables --table filter --insert partition-a --destination 192.168.0.133 --jump cpm-a\w+
|
|
203
|
+
"""
|
|
204
|
+
Then the created chain name in all tables should match
|
|
205
|
+
|
|
206
|
+
|
|
207
|
+
@nat @snat
|
|
208
|
+
Scenario: Basic SNAT forward
|
|
209
|
+
When I run `ript rules generate examples/forward-snat.rb`
|
|
210
|
+
Then the output should match:
|
|
211
|
+
"""
|
|
212
|
+
iptables --table nat --new-chain bar-d\w+
|
|
213
|
+
iptables --table nat --new-chain bar-s\w+
|
|
214
|
+
iptables --table filter --new-chain bar-a\w+
|
|
215
|
+
"""
|
|
216
|
+
Then the output should match:
|
|
217
|
+
"""
|
|
218
|
+
iptables --table nat --append bar-s\w+ --source 10.30.0.0/24 --jump SNAT --to-source 172.23.0.95
|
|
219
|
+
iptables --table filter --append bar-a\w+ --source 10.30.0.0/24 --jump ACCEPT
|
|
220
|
+
iptables --table nat --insert partition-s --source 10.30.0.0/24 --jump bar-s\w+
|
|
221
|
+
iptables --table filter --insert partition-a --source 10.30.0.0/24 --jump bar-a\w+
|
|
222
|
+
"""
|
|
223
|
+
Then the created chain name in all tables should match
|
|
224
|
+
|
|
225
|
+
@nat @snat
|
|
226
|
+
Scenario: SNAT forward for multiple sources
|
|
227
|
+
When I run `ript rules generate examples/forward-snat-with-multiple-sources.rb`
|
|
228
|
+
Then the output should match:
|
|
229
|
+
"""
|
|
230
|
+
iptables --table nat --new-chain bar-d\w+
|
|
231
|
+
iptables --table nat --new-chain bar-s\w+
|
|
232
|
+
iptables --table filter --new-chain bar-a\w+
|
|
233
|
+
"""
|
|
234
|
+
Then the output should match:
|
|
235
|
+
"""
|
|
236
|
+
iptables --table nat --append bar-s\w+ --source 10.33.0.0/24 --jump SNAT --to-source 172.23.0.95
|
|
237
|
+
iptables --table filter --append bar-a\w+ --source 10.33.0.0/24 --jump ACCEPT
|
|
238
|
+
iptables --table nat --append bar-s\w+ --source 10.44.0.0/24 --jump SNAT --to-source 172.23.0.95
|
|
239
|
+
iptables --table filter --append bar-a\w+ --source 10.44.0.0/24 --jump ACCEPT
|
|
240
|
+
iptables --table nat --append bar-s\w+ --source 10.55.0.0/24 --jump SNAT --to-source 172.23.0.95
|
|
241
|
+
iptables --table filter --append bar-a\w+ --source 10.55.0.0/24 --jump ACCEPT
|
|
242
|
+
iptables --table nat --insert partition-s --source 10.33.0.0/24 --jump bar-s\w+
|
|
243
|
+
iptables --table nat --insert partition-s --source 10.44.0.0/24 --jump bar-s\w+
|
|
244
|
+
iptables --table nat --insert partition-s --source 10.55.0.0/24 --jump bar-s\w+
|
|
245
|
+
iptables --table filter --insert partition-a --source 10.33.0.0/24 --jump bar-a\w+
|
|
246
|
+
iptables --table filter --insert partition-a --source 10.44.0.0/24 --jump bar-a\w+
|
|
247
|
+
iptables --table filter --insert partition-a --source 10.55.0.0/24 --jump bar-a\w+
|
|
248
|
+
"""
|
|
249
|
+
Then the created chain name in all tables should match
|
|
250
|
+
|
|
251
|
+
@nat @snat
|
|
252
|
+
Scenario: SNAT forward with an explicit from
|
|
253
|
+
When I run `ript rules generate examples/forward-snat-with-explicit-from.rb`
|
|
254
|
+
Then the output should match:
|
|
255
|
+
"""
|
|
256
|
+
iptables --table nat --new-chain bar-d\w+
|
|
257
|
+
iptables --table nat --new-chain bar-s\w+
|
|
258
|
+
iptables --table filter --new-chain bar-a\w+
|
|
259
|
+
"""
|
|
260
|
+
Then the output should match:
|
|
261
|
+
"""
|
|
262
|
+
iptables --table nat --append bar-s\w+ --source 10.55.0.45 --jump SNAT --to-source 172.24.0.99
|
|
263
|
+
iptables --table filter --append bar-a\w+ --source 10.55.0.45 --jump ACCEPT
|
|
264
|
+
iptables --table nat --append bar-s\w+ --source 10.55.0.0/24 --jump SNAT --to-source 172.23.0.95
|
|
265
|
+
iptables --table filter --append bar-a\w+ --source 10.55.0.0/24 --jump ACCEPT
|
|
266
|
+
iptables --table nat --insert partition-s --source 10.55.0.45 --jump bar-s\w+
|
|
267
|
+
iptables --table nat --insert partition-s --source 10.55.0.0/24 --jump bar-s\w+
|
|
268
|
+
iptables --table filter --insert partition-a --source 10.55.0.45 --jump bar-a\w+
|
|
269
|
+
iptables --table filter --insert partition-a --source 10.55.0.0/24 --jump bar-a\w+
|
|
270
|
+
"""
|
|
271
|
+
Then the created chain name in all tables should match
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
Feature: Raw iptables rules
|
|
2
|
+
When implementing firewalls in complex environments
|
|
3
|
+
Sometimes an operator needs a more precise vocabulary
|
|
4
|
+
To express non-partition specific rules
|
|
5
|
+
|
|
6
|
+
@raw
|
|
7
|
+
Scenario: Raw rules
|
|
8
|
+
When I run `ript rules generate examples/raw.rb`
|
|
9
|
+
Then the output should match:
|
|
10
|
+
"""
|
|
11
|
+
# setup-\w+
|
|
12
|
+
"""
|
|
13
|
+
#Then the created chain name in all tables should match
|
|
14
|
+
|
|
15
|
+
@raw @error
|
|
16
|
+
Scenario: Raw rules validation
|
|
17
|
+
When I run `ript rules generate examples/raw-with-flush.rb`
|
|
18
|
+
Then the output should match:
|
|
19
|
+
"""
|
|
20
|
+
Error: partition boilerplate - you can't use raw rules that flush tables or chains!
|
|
21
|
+
"""
|
|
22
|
+
When I run `ript rules generate examples/raw-with-chain-deletion.rb`
|
|
23
|
+
Then the output should match:
|
|
24
|
+
"""
|
|
25
|
+
Error: partition boilerplate - you can't use raw rules that delete chains!
|
|
26
|
+
"""
|
|
27
|
+
#Then the created chain name in all tables should match
|
|
28
|
+
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
Feature: Ript Setup
|
|
2
|
+
|
|
3
|
+
@sudo @timeout-10
|
|
4
|
+
Scenario: Partition chain is set up
|
|
5
|
+
Given I have no iptables rules loaded
|
|
6
|
+
When I run `ript rules diff examples/basic.rb`
|
|
7
|
+
Then the output should match:
|
|
8
|
+
"""
|
|
9
|
+
iptables --table filter --new-chain partition-a
|
|
10
|
+
iptables --table filter --insert INPUT 1 --jump partition-a
|
|
11
|
+
iptables --table filter --insert OUTPUT 1 --jump partition-a
|
|
12
|
+
iptables --table filter --insert FORWARD 1 --jump partition-a
|
|
13
|
+
iptables --table nat --new-chain partition-d
|
|
14
|
+
iptables --table nat --insert PREROUTING 1 --jump partition-d
|
|
15
|
+
iptables --table nat --new-chain partition-s
|
|
16
|
+
iptables --table nat --insert POSTROUTING 1 --jump partition-s
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
# basic-\w+
|
|
20
|
+
iptables --table nat --new-chain basic-d\w+
|
|
21
|
+
iptables --table nat --new-chain basic-s\w+
|
|
22
|
+
iptables --table filter --new-chain basic-a\w+
|
|
23
|
+
"""
|
|
24
|
+
Then the created chain name in all tables should match
|
|
25
|
+
|
|
26
|
+
@sudo @timeout-10
|
|
27
|
+
Scenario: Partition chain is only added once
|
|
28
|
+
Given I have no iptables rules loaded
|
|
29
|
+
When I run `ript rules apply examples/basic.rb`
|
|
30
|
+
Then the output from "ript rules apply examples/basic.rb" should match:
|
|
31
|
+
"""
|
|
32
|
+
iptables --table filter --new-chain partition-a
|
|
33
|
+
iptables --table filter --insert INPUT 1 --jump partition-a
|
|
34
|
+
iptables --table filter --insert OUTPUT 1 --jump partition-a
|
|
35
|
+
iptables --table filter --insert FORWARD 1 --jump partition-a
|
|
36
|
+
iptables --table nat --new-chain partition-d
|
|
37
|
+
iptables --table nat --insert PREROUTING 1 --jump partition-d
|
|
38
|
+
iptables --table nat --new-chain partition-s
|
|
39
|
+
iptables --table nat --insert POSTROUTING 1 --jump partition-s
|
|
40
|
+
|
|
41
|
+
|
|
42
|
+
# basic-\w+
|
|
43
|
+
iptables --table nat --new-chain basic-d\w+
|
|
44
|
+
iptables --table nat --new-chain basic-s\w+
|
|
45
|
+
iptables --table filter --new-chain basic-a\w+
|
|
46
|
+
"""
|
|
47
|
+
When I run `ript rules apply examples/partition-name-exactly-20-characters.rb`
|
|
48
|
+
Then the output from "ript rules apply examples/partition-name-exactly-20-characters.rb" should contain exactly:
|
|
49
|
+
"""
|
|
50
|
+
# name_exactly_20_char-f9964b
|
|
51
|
+
iptables --table nat --new-chain name_exactly_20_char-df9964b
|
|
52
|
+
iptables --table nat --new-chain name_exactly_20_char-sf9964b
|
|
53
|
+
iptables --table filter --new-chain name_exactly_20_char-af9964b
|
|
54
|
+
|
|
55
|
+
|
|
56
|
+
|
|
57
|
+
"""
|
|
58
|
+
Then the created chain name in all tables should match
|