riptables 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6163673be40ac8debc91fbbb58b934d622a0551b
+  data.tar.gz: 834420f08005d80abf266219d82445f9187b42cb
+SHA512:
+  metadata.gz: ffcca219d8afdab19f25844fa2e6352cd49f5149e7254fc70c691864db89c7698a4d7950639b9a93900165544cfe5bfb0b65901903352f1b3fa7d19eaaa71153
+  data.tar.gz: 97b4c44f8ec3b26978c6cf7e3bca149a7dfa79277f4f77db1e627beacf47f84b25e123444b427653e94bd8e1d087e6264a6a60ce26f48942e739ad7007b4c5e0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2014 Adam Cooke.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,130 @@
+# Riptables
+
+Riptables (pronounced ri-pee-tables) is a Ruby DSL for generating configuration
+for IP tables. The following design goals were employed for development:
+
+* Must support IPv4 and IPv6 rules
+* Must allow a single file to contain configuration for multiple environments
+  based on a given `role` and `zone`.
+* Must support any type of table or chain.
+* Must support any rule or action without limitation.
+* Must include a command line tool for exporting configuration.
+* Should be simple to understand the configuration syntax.
+* Should be well documentated.
+
+## `FirewallFile` Syntax
+
+Riptables works with `FirewallFile` which contains the complete configuration for
+all servers where this configuration will be distributed. In this example, we're
+just going to configure a single rule to drop everything except SSH.
+
+```ruby
+# Using the `table` method we define a new table. In this case, we'll be
+# configuring a simple firewall.
+table :filter do
+
+  # Set some default actions for the three main chains in the filter table.
+  # The action you enter will simply be passed to iptables. If it is a symbol
+  # it will be uppercased otherwise it will be passed through un-touched.
+  default_action :input,    :drop
+  default_action :forward,  :accept
+  default_action :output,   :accept
+
+  # In it's most basic form, you can add rules by simply calling the name of the
+  # chain and a description.
+  input "Allow SSH" do
+    # Set the conditions for the rule you want to apply. This is passed unfettered
+    # to iptables so you can write anything you would normally before the -j flag.
+    rule "-p tcp --dport 22"
+    # Set the action to take if the rule is matched. If this is a symbol it will
+    # be uppercased automatically. If it's a string, it will be passed stright
+    # through after a -j flag.
+    action :accept
+  end
+
+end
+```
+
+### Permutations
+
+If you have rules which are always similar to other rules (for example a set of
+IP ranges which must all be permitted) you can use permutations.
+
+```ruby
+input "Allow web access" do
+  rule "-p tcp --dport {{port}}"
+  action :accept
+  permutation "Insecure", :port => "80"
+  permutation "Secure",   :port => "443"
+end
+```
+
+Each permutation will be applied as its own rule using the base rule as a template.
+Using the variable interpolation, you can insert any variable you wish in each
+permutation. The final `:v => 4` option sets that this should only apply to the
+IPv4 firewall - it can be set to 6 to only apply them to IPv6 firewalls.
+
+### Zones & Roles
+
+If you have different types of servers and want to apply different rules based
+on what and where a machine is, you can do so. You can either limit whole rules
+or just permutations within a rule.
+
+```ruby
+# Any rules which are defined within this role block will only be included when
+# you generate an iptables config for the `vpn` role.
+role :vpn do
+
+  input "Allow management access" do
+    rule "-s {{ip}}"
+    action :accept
+    permutation "Allow Internal",   :ip => '10.0.0.0/16',           :v => 4
+    permutation "Allow IPv6",       :ip => '2a00:67a0:a:123::/64',  :v => 6
+
+    # Any permutations within this block will only be included when you generate
+    # an iptavles config for any `eu-east` zone or 'us-west-4'.
+    zone /eu\-east\-(\d+)/, "us-west-4" do
+      permutation "aTech Media",    :ip => "185.22.208.0/25",     :v => 4
+    end
+  end
+
+end
+```
+
+### IPv4 vs. IPv6
+
+By default, any rule you configure will apply to both your IPv4 firewall and your
+IPv6 firewall. However, you can define rule or permutations to only use one or
+the other.
+
+```ruby
+input "Block nasty IPv6 person" do
+  rule "-s 2a00:67a0:abc::1234/128"
+  action :drop
+  # Add the `version` option to restrict this rule to the IPv6 firewall only.
+  # You can also use `4` for the IPv4 firewall.
+  version 6
+end
+```
+
+You'll see in the previous example, you can pass the `:v` option to permutations
+to restrict which firewall they belong to. Default rules will always apply to
+both and cannot currently be different depending on IP version.
+
+## Command Line
+
+The `riptables` command is used to generate your iptables-save files. These can
+then be used with `iptables-restore`.
+
+```text
+$ riptables
+```
+
+The following options are supported and can be used interchagably:
+
+* `-4` - return the IPv4 configuration (default)
+* `-6` - return the IPv6 configuration (defaults to v4)
+* `-f [PATH]` - path to your FirewallFile (defaults to ./FirewallFile)
+* `--zone [ZONE]` - set the zone to export configuration for
+* `--role [ROLE]` - set the role to export configuration for
+* `--color` - return a [colorized output](http://s.adamcooke.io/14/Vmzd2.png) (useful for debugging)

data/bin/riptables

@@ -0,0 +1,34 @@
+#!/usr/bin/env ruby
+$:.unshift(File.expand_path('../../lib', __FILE__))
+require 'riptables'
+require 'optparse'
+
+options = {}
+options[:conditions] = {}
+options[:color] = false
+ipv = 4
+load_path = File.expand_path('./FirewallFile')
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: riptables [options]"
+  opts.on("-4", "Return IPv6 records")  { ipv = 4 }
+  opts.on("-6", "Return IPv6 records")  { ipv = 6 }
+  opts.on("-r", "--role [ROLE]", "The role to generate for")  { |v| options[:conditions][:role] = v }
+  opts.on("-z", "--zone [ZONE]", "The zone to generate for")  { |v| options[:conditions][:zone] = v }
+  opts.on("--color", "Colorize the output")                   { |v| options[:color] = true }
+  opts.on("--color", "Colorize the output")                   { |v| options[:color] = true }
+  opts.on("-f", "--file [PATH]", "The Riptables configuration file") { |v| load_path = v }
+end.parse!
+
+begin
+  Riptables.load_from_file(load_path)
+  Riptables.tables.each do |table|
+    puts table.export(options).to_savefile(ipv)
+  end
+rescue Riptables::Error => e
+  $stderr.puts "\e[31m#{e}\e[0m"
+  exit 1
+rescue => e
+  $stderr.puts "\e[31m#{e.class}: #{e.message}\e[0m"
+  exit 1
+end

data/lib/riptables.rb

@@ -0,0 +1,26 @@
+require 'riptables/dsl/root'
+require 'riptables/error'
+
+module Riptables
+
+  # 
+  # Store all tables configured
+  #
+  def self.tables
+    @tables ||= []
+  end
+
+  #
+  # Parse a given file
+  #
+  def self.load_from_file(file)
+    if File.file?(file)
+      dsl = DSL::Root.new
+      dsl.instance_eval(File.read(file), file)
+      true
+    else
+      raise Error, "File not found at `#{file}`"
+    end
+  end
+
+end

data/lib/riptables/chain.rb

@@ -0,0 +1,17 @@
+module Riptables
+  class Chain
+
+    def initialize(table, name)
+      @table = table
+      @name = name
+      @default_action = :accept
+      @rules = []
+    end
+
+    attr_accessor :default_action
+    attr_reader :table
+    attr_reader :name
+    attr_reader :rules
+
+  end
+end

data/lib/riptables/condition.rb

@@ -0,0 +1,25 @@
+require 'riptables/condition'
+
+module Riptables
+  class Condition
+
+    def self.conditions
+      @conditions ||= []
+    end
+
+    def initialize(condition, &block)
+      @condition = [condition].flatten
+      @block = block
+      self.call
+    end
+
+    attr_reader :condition
+
+    def call
+      Condition.conditions << self
+      @block.call
+      Condition.conditions.delete(self)
+    end
+
+  end
+end

data/lib/riptables/dsl/global.rb

@@ -0,0 +1,30 @@
+require 'riptables/zone_condition'
+require 'riptables/role_condition'
+
+module Riptables
+  module DSL
+    class Global
+
+      #
+      # Any rules which are defined while inside this block should only apply
+      # to the associated zones.
+      #
+      def zone(*zones, &block)
+        ZoneCondition.new(zones) do
+          block.call
+        end
+      end
+
+      #
+      # Any rules which are defined while inside this block should only apply
+      # to the associated roles.
+      #
+      def role(*roles, &block)
+        RoleCondition.new(roles) do
+          block.call
+        end
+      end
+
+    end
+  end
+end

data/lib/riptables/dsl/root.rb

@@ -0,0 +1,19 @@
+require 'riptables/dsl/global'
+require 'riptables/table'
+
+module Riptables
+  module DSL
+    class Root < Global
+
+      #
+      # Rules within a given table
+      #
+      def table(name, &block)
+        table = Riptables::Table.new(name)
+        table.dsl.instance_eval(&block)
+        Riptables.tables << table
+      end
+
+    end
+  end
+end

data/lib/riptables/dsl/rule.rb

@@ -0,0 +1,30 @@
+require 'riptables/dsl/global'
+require 'riptables/rule_permutation'
+
+module Riptables
+  module DSL
+    class Rule < Global
+
+      def initialize(rule)
+        @rule = rule
+      end
+
+      def rule(rule)
+        @rule.rule = rule
+      end
+
+      def action(action)
+        @rule.action = action
+      end
+
+      def permutation(description, options = {})
+        @rule.permutations << RulePermutation.new(@rule, description, options)
+      end
+
+      def version(number)
+        @rule.versions = [number]
+      end
+
+    end
+  end
+end

data/lib/riptables/dsl/table.rb

@@ -0,0 +1,43 @@
+require 'riptables/dsl/global'
+require 'riptables/rule'
+
+module Riptables
+  module DSL
+    class Table < Global
+
+      def initialize(table)
+        @table = table
+      end
+
+      #
+      # Defines a default rule for a chain on this table
+      #
+      def default_action(chain, action)
+        @table.chain(chain).default_action = action
+      end
+
+      #
+      # Add a new rule in this table
+      #
+      def rule(chain, description = nil, &block)
+        rule = Riptables::Rule.new(@table.chain(chain))
+        rule.description = description
+        rule.dsl.instance_eval(&block)
+        @table.chain(chain).rules << rule
+      end
+
+      #
+      # Any method which do not exist are most likely just new rules when inside
+      # this block.
+      #
+      def method_missing(chain, *args, &block)
+        if block_given?
+          self.rule(chain, *args, &block)
+        else
+          super
+        end
+      end
+
+    end
+  end
+end

data/lib/riptables/error.rb

@@ -0,0 +1,4 @@
+module Riptables
+  class Error < StandardError
+  end
+end

data/lib/riptables/role_condition.rb

@@ -0,0 +1,16 @@
+require 'riptables/condition'
+
+module Riptables
+  class RoleCondition < Condition
+
+    def matches?(conditions)
+      return false unless conditions[:role]
+      roles = conditions[:role].split(/\s?\,\s?/)
+      roles.each do |role|
+        return true if condition.any? { |c|  c.is_a?(Regexp) ? c.match(role) : role.to_s == c.to_s }
+      end
+      return false
+    end
+
+  end
+end

data/lib/riptables/rule.rb

@@ -0,0 +1,39 @@
+require 'riptables/dsl/rule'
+
+module Riptables
+  class Rule
+
+    def initialize(chain)
+      @chain = chain
+      @permutations = []
+      @conditions = Condition.conditions.dup
+      @versions = [4, 6]
+    end
+
+    attr_accessor :description
+    attr_accessor :rule
+    attr_accessor :action
+    attr_accessor :conditions
+    attr_accessor :versions
+    attr_reader :chain
+    attr_reader :permutations
+    attr_reader :conditions
+
+    def dsl
+      @dsl ||= DSL::Rule.new(self)
+    end
+
+    def include?(conditions)
+      @conditions.all? { |c| c.matches?(conditions) }
+    end
+
+    def permuted_rules
+      if permutations.empty?
+        [self]
+      else
+        permutations.map(&:to_rule)
+      end
+    end
+
+  end
+end

data/lib/riptables/rule_permutation.rb

@@ -0,0 +1,41 @@
+require 'riptables/condition'
+require 'riptables/rule'
+
+module Riptables
+  class RulePermutation
+
+    def initialize(rule, description, options = {})
+      @rule = rule
+      @description = description
+      @options = options
+      @conditions = Condition.conditions.dup - @rule.conditions
+    end
+
+    attr_reader :rule
+    attr_reader :description
+    attr_reader :options
+    attr_reader :conditions
+
+    #
+    # Convert this permutation into a full rule in its own right
+    #
+    def to_rule
+      new_rule = Rule.new(rule.chain)
+      new_rule.description = "#{rule.description} (#{self.description})"
+      new_rule.rule = rule.rule.gsub(/\{\{(\w+)\}\}/) do
+        if value = self.options[$1.to_sym]
+          value
+        else
+          "{{#{$1}}}"
+        end
+      end
+      new_rule.action = rule.action
+      new_rule.conditions = rule.conditions | self.conditions
+      if v = (self.options[:v] || self.options[:version])
+        new_rule.versions = [v.to_i]
+      end
+      new_rule
+    end
+
+  end
+end

data/lib/riptables/table.rb

@@ -0,0 +1,29 @@
+require 'riptables/dsl/table'
+require 'riptables/chain'
+require 'riptables/table_export'
+
+module Riptables
+  class Table
+
+    attr_reader :name
+    attr_reader :chains
+
+    def initialize(name)
+      @name = name
+      @chains = {}
+    end
+
+    def dsl
+      @dsl ||= DSL::Table.new(self)
+    end
+
+    def chain(name)
+      @chains[name] ||= Chain.new(self, name)
+    end
+
+    def export(options = {})
+      TableExport.new(self, options)
+    end
+
+  end
+end

data/lib/riptables/table_export.rb

@@ -0,0 +1,40 @@
+module Riptables
+  class TableExport
+
+    def initialize(table, options = {})
+      @table = table
+      @options = options
+    end
+
+    def to_savefile(version = 4)
+      Array.new.tap do |s|
+        s << "*#{col 31, @table.name}"
+        @table.chains.each do |_, chain|
+          s << ":#{col 32, chain.name.to_s.upcase} #{col 35, chain.default_action.to_s.upcase} [0:0]"
+        end
+
+        @table.chains.each do |_, chain|
+          chain.rules.map(&:permuted_rules).flatten.each do |rule|
+            next unless rule.include?(@options[:conditions] || {})
+            next unless rule.versions.include?(version)
+            action = rule.action ? "-j #{rule.action.is_a?(Symbol) ? rule.action.upcase : rule.action}" : ''
+            comment = "-m comment --comment=\"#{rule.description.gsub('"', '\'')}\""
+            s << "-A #{col 32, chain.name.to_s.upcase} #{col 33, rule.rule} #{col 35, action} #{col 36, comment}"
+          end
+        end
+
+        s << "COMMIT"
+        s << "# Compiled by riptables on #{Time.now.strftime("%a %b %e %H:%M:%S %Y")}"
+      end.join("\n")
+    end
+
+    def col(number, text)
+      if @options[:color] == false
+        text
+      else
+        "\e[#{number}m#{text}\e[0m"
+      end
+    end
+
+  end
+end

data/lib/riptables/version.rb

@@ -0,0 +1,3 @@
+module Riptables
+  VERSION = '1.0.0'
+end

data/lib/riptables/zone_condition.rb

@@ -0,0 +1,14 @@
+require 'riptables/condition'
+
+module Riptables
+  class ZoneCondition < Condition
+
+    def matches?(conditions)
+      conditions[:zone] &&
+      condition.any? do |c|
+        c.is_a?(Regexp) ? c.match(conditions[:zone]) : conditions[:zone].to_s == c.to_s
+      end
+    end
+
+  end
+end

metadata

@@ -0,0 +1,67 @@
+--- !ruby/object:Gem::Specification
+name: riptables
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Adam Cooke
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-21 00:00:00.000000000 Z
+dependencies: []
+description: 'An Ruby DSL for generating iptables configuration. '
+email:
+- me@adamcooke.io
+executables:
+- riptables
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- bin/riptables
+- lib/riptables.rb
+- lib/riptables/chain.rb
+- lib/riptables/condition.rb
+- lib/riptables/dsl/global.rb
+- lib/riptables/dsl/root.rb
+- lib/riptables/dsl/rule.rb
+- lib/riptables/dsl/table.rb
+- lib/riptables/error.rb
+- lib/riptables/role_condition.rb
+- lib/riptables/rule.rb
+- lib/riptables/rule_permutation.rb
+- lib/riptables/table.rb
+- lib/riptables/table_export.rb
+- lib/riptables/version.rb
+- lib/riptables/zone_condition.rb
+homepage: http://adamcooke.io
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.0'
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: '3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: An Ruby DSL for generating iptables configuration.
+test_files: []
+has_rdoc: