shutter 0.0.7 → 0.1.0

data/lib/shutter/files.rb

@@ -0,0 +1,31 @@
+module Shutter
+  class Files
+    include Shutter::Content
+    
+    class << self
+      include Shutter::Content
+      def create(dir, overwrite=false, except=[])
+        CONFIG_FILES.each do |name|
+          file = "#{dir}/#{name}"
+          if !File.exists?(file) || overwrite || except.include?(name)
+            File.open(file, 'w') do |f| 
+              f.write(const_get(name.upcase.gsub(/\./, "_")))
+            end
+          end
+        end
+      end
+
+      def create_config_dir(config_path)
+        # Check to see if the path to the config files exist
+        unless File.directory?(config_path)
+          begin
+            Dir.mkdir(config_path)
+          rescue Errno::ENOENT
+            raise "Could not create the configuration directory.  Check to see if the parent directory exists."
+          end
+        end
+      end
+    end
+
+  end
+end

data/lib/shutter/iptables.rb

@@ -1,13 +1,218 @@
-require 'shutter/iptables/base'
-require 'shutter/iptables/eyepee'
-require 'shutter/iptables/iface'
-require 'shutter/iptables/jail'
-require 'shutter/iptables/port'
-require 'shutter/iptables/forward'
-require 'shutter/os'
-
 module Shutter
-  module IPTables
-    IPTABLES_RESTORE="/sbin/iptables-restore"
+  module Firewall
+    class IPTables
+      RULES_DMZ_BLOCK         = "# [RULES:DMZ]"
+      RULES_FORWARD_BLOCK     = "# [RULES:FORWARD]"
+      RULES_POSTROUTING_BLOCK = "# [RULES:POSTROUTING]"
+      RULES_BASTARDS_BLOCK    = "# [RULES:BASTARDS]"
+      RULES_PUBLIC_BLOCK      = "# [RULES:PUBLIC]"
+      RULES_ALLOWIP_BLOCK     = "# [RULES:ALLOWIP]"
+      RULES_PRIVATE_BLOCK     = "# [RULES:PRIVATE]"
+      RULES_FAIL2BAN_BLOCK    = "# [RULES:FAIL2BAN]"
+      RULES_JAIL_BLOCK        = "# [RULES:JAIL]"
+      CHAIN_FAIL2BAN_BLOCK    = "# [CHAIN:FAIL2BAN]"
+
+      def initialize(path)
+        @path = path
+        @base = read("base.ipt",false).join("\n")
+        @iface_forward = read("iface.forward")
+        @ports_private = read("ports.private")
+        @ports_public = read("ports.public")
+        @ip_allow = read("ip.allow")
+        @ip_deny = read("ip.deny")
+        @dmz_device = read("iface.dmz")
+        @os = Shutter::OS.new
+      end
+
+      def base_sub(block,content)
+        @base = @base.gsub(/#{Regexp.quote(block)}/, content)
+      end
+
+      def generate
+        base_sub(RULES_DMZ_BLOCK,          dmz_device_block)
+        base_sub(RULES_FORWARD_BLOCK,      forward_block)
+        base_sub(RULES_POSTROUTING_BLOCK,  postrouting_block)
+        base_sub(RULES_BASTARDS_BLOCK,     deny_ip_block)
+        base_sub(RULES_PUBLIC_BLOCK,       allow_public_port_block)
+        base_sub(RULES_ALLOWIP_BLOCK,      allow_ip_block)
+        base_sub(RULES_PRIVATE_BLOCK,      allow_private_port_block)
+        base_sub(RULES_FAIL2BAN_BLOCK,     fail2ban_rules_block)
+        base_sub(RULES_JAIL_BLOCK,         jail_rules_block)
+        base_sub(CHAIN_FAIL2BAN_BLOCK,     fail2ban_chains_block)
+        clean
+      end
+
+      def to_s
+        @base
+      end
+
+      def clean
+        @base = @base.gsub(/^#.*$/, "")
+        @base = @base.gsub(/^$\n/, "") 
+      end
+
+      def read(file, filter=true)
+        #puts "Reading: #{@path}/#{file}"
+        lines = File.read("#{@path}/#{file}").split("\n")
+        # Doesn't work with 1.8.x
+        # lines.keep_if{ |line| line =~ /^[a-z0-9].+$/ } if filter
+        # so since we are iterating through this, well handle the stripping as well
+        # lines.map { |line| line.strip }
+        newlines = []
+        lines.each do |line|
+          if filter
+            newlines << line.strip if line =~ /^[a-z0-9].+$/
+          else
+            newlines << line.strip
+          end
+        end
+        newlines
+      end
+
+      def save
+        puts self.generate
+      end
+
+      def restore
+        IO.popen("#{iptables_restore}", "r+") do |iptr|
+          iptr.puts self.generate ; iptr.close_write
+        end
+      end
+
+      def persist(pfile)
+        File.open(pfile, "w") do |f|
+          f.write(@base)
+        end
+      end
+
+      ###
+      ### IPTables Commands
+      ###
+      def iptables_save
+        @iptable_save ||= `"#{@os.iptables_save}"`
+      end
+
+      def iptables_restore
+        "#{@os.iptables_restore}"
+      end
+
+      ###
+      ### Block Generation
+      ###
+      def forward_block
+        content = ""
+        @iface_forward.each do |line|
+          src, dst = line.split(' ')
+          content += self.forward_content(src,dst)
+        end
+        content
+      end
+
+      def postrouting_block
+        masq_ifaces = []
+        content = ""
+        @iface_forward.each do |line|
+          src, dst = line.split(' ')
+          content += self.postrouting_content(dst) unless masq_ifaces.include?(dst)
+          masq_ifaces << dst
+        end
+        content
+      end
+
+      def allow_private_port_block
+        content = ""
+        @ports_private.each do |line|
+          port,proto = line.split
+          content += self.allow_private_port_content(port, proto)
+        end
+        content
+      end
+
+      def allow_public_port_block
+        content = ""
+        @ports_public.each do |line|
+          port,proto = line.split
+          raise "Invalid port in port.allow" unless port =~ /^[0-9].*$/
+          raise "Invalid protocol in port.allow" unless proto =~ /^(tcp|udp)$/
+          content += self.allow_public_port_content(port, proto)
+        end
+        content
+      end
+
+      def allow_ip_block
+        content = ""
+        @ip_allow.each do |line|
+          raise "Invalid IP address in ip.allow" unless line =~ /^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}(\/[0-9]{0,2})*$/
+          content += self.allow_ip_content(line)
+        end
+        content
+      end
+
+      def deny_ip_block
+        content = ""
+        @ip_deny.each do |line|
+          raise "Invalid IP address in ip.deny" unless line =~ /^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}(\/[0-9]{0,2})*$/
+          content += self.deny_ip_content(line)
+        end
+        content
+      end
+
+      def dmz_device_block
+        content = ""
+        @dmz_device.each do |line|
+          raise "Invalid device in iface.dmz" unless line =~ /^[a-z][a-z0-9].*$/
+          content += self.dmz_device_content(line)
+        end
+        content
+      end
+
+      def fail2ban_chains_block
+        iptables_save.scan(/^:fail2ban.*$/).join("\n")
+      end
+
+      def fail2ban_rules_block
+        iptables_save.scan(/^-A fail2ban.*$/).join("\n")
+      end
+
+      def jail_rules_block
+        lines = iptables_save.scan(/^-A Jail.*$/)
+        lines << "-A Jail -j RETURN\n" unless lines.last =~ /-A Jail -j RETURN/
+        lines.join("\n")
+      end   
+
+      ###
+      ### Block Content
+      ###
+      def forward_content(src,dst)
+        rule =  "-A FORWARD -i #{src} -o #{dst} -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n"
+        rule += "-A FORWARD -i #{dst} -o #{src} -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+        rule
+      end
+
+      def postrouting_content(iface)
+        "-A POSTROUTING -o #{iface} -j MASQUERADE\n"
+      end
+
+      def allow_private_port_content(port, proto)
+        "-A Private -m state --state NEW -p #{proto} -m #{proto} --dport #{port} -j RETURN\n"
+      end
+
+      def allow_public_port_content(port, proto)
+        "-A Public -m state --state NEW -p #{proto} -m #{proto} --dport #{port} -j ACCEPT\n"
+      end
+
+      def allow_ip_content(ip)
+        "-A AllowIP -m state --state NEW -s #{ip} -j Allowed\n"
+      end
+
+      def deny_ip_content(ip)
+        "-A Bastards -s #{ip} -j DropBastards\n"
+      end
+
+      def dmz_device_content(iface)
+        "-A Dmz -i #{iface} -j ACCEPT\n"
+      end
+
+    end
   end
 end

data/lib/shutter/os.rb

@@ -6,6 +6,12 @@ module Shutter
       end
     end
 
+    def validate!
+      if unknown?
+        raise "ERROR: Unsupported operating system"
+      end
+    end
+
     def family
       @family ||= ENV['OS'] ? ENV['OS'] : RUBY_PLATFORM.split('-').last
     end
@@ -15,7 +21,28 @@ module Shutter
     end
 
     def linux?
-      return family == "linux"
+      family == "linux"
+    end
+
+    def iptables_save
+      "/sbin/iptables-save"
+    end
+
+    def iptables_restore
+      "/sbin/iptables-restore"
+    end
+
+    def persist_file
+      case version
+      when /Red Hat/
+        "/etc/sysconfig/iptables"
+      when /Debian/
+        "/etc/iptables/rules"
+      when /Ubuntu/
+        "/etc/iptables/rules"
+      else
+        "/tmp/iptables.rules"
+      end
     end
 
     def dist
@@ -35,6 +62,18 @@ module Shutter
       dist == "RedHat"
     end
 
+    def ubuntu?
+      dist == "Ubuntu"
+    end
+
+    def debian?
+      dist == "Debian"
+    end
+
+    def unknown?
+      dist == "Unknown"
+    end
+
     alias :centos? :redhat? 
     alias :fedora? :redhat?
   end

data/lib/shutter/version.rb

@@ -1,3 +1,3 @@
 module Shutter
-  VERSION = "0.0.7"
+  VERSION = "0.1.0"
 end

data/shutter.gemspec

@@ -6,9 +6,9 @@ Gem::Specification.new do |gem|
   gem.email         = ["nosignsoflifehere@gmail.com"]
   gem.description   = %q{Shutter is a tool that gives system administrators the ability 
                          to manage iptables firewall settings through simple lists instead 
-                         of complex iptables rules. Please note: This application currently 
-                         only works with Red Hat based distributions, as the need arrises 
-                         more distributions will be added.
+                         of complex iptables rules. Please note:  This application is currently 
+                         only tested with Red Hat based distributions.  Ubuntu and Debian should 
+                         work but are not supported..
                         }
   gem.summary       = %q{Shutter helps manage iptables firewalls}
   gem.homepage      = ""
@@ -21,4 +21,5 @@ Gem::Specification.new do |gem|
   gem.version       = Shutter::VERSION
   gem.add_development_dependency('rspec')
   gem.add_development_dependency('mocha')
+  gem.add_development_dependency('simplecov')
 end

data/spec/command_line_spec.rb

@@ -1,16 +1,82 @@
 require File.dirname(__FILE__) + '/spec_helper'
-require 'fileutils'
 
 describe "Shutter::CommandLine" do
-  it "should create the configuration directory if it does not exist" do
-    cmd = Shutter::CommandLine.new('./tmp/configs')
-    cmd.init
-    File.directory?('./tmp/configs').should == true
-    FileUtils.rm_rf('./tmp/configs')
+  before(:each) do
+    @cmd = Shutter::CommandLine.new("./tmp")
   end
 
-  it "should not recursively create the configuration directory if the parent does not exist" do
-    cmd = Shutter::CommandLine.new('./tmp/configs/this')
-    expect { cmd.init }.to raise_error
+  it "should not raise exception when firewall is called" do
+    expect { @cmd.firewall }.to_not raise_error
   end
+
+  it "should set default value of persist to false" do
+    @cmd.persist.should == false
+  end
+
+  it "should set default value of debug to false" do
+    @cmd.debug.should == false
+  end
+
+  it "should have set config_path to ./tmp" do
+    @cmd.config_path.should == "./tmp"
+  end
+
+  it "should set the command to :save" do
+    @cmd.execute(["--save"],true)
+    @cmd.command.should == :save
+    @cmd.execute(["-s"],true)
+    @cmd.command.should == :save
+  end
+
+  it "should set the command to :restore" do
+    @cmd.execute(["--restore"],true)
+    @cmd.command.should == :restore
+    @cmd.execute(["--restore", "--persist"],true)
+    @cmd.command.should == :restore
+    @cmd.persist.should == true
+  end
+
+  it "should set the command to :init" do
+    @cmd.execute(["--init"],true)
+    @cmd.command.should == :init
+  end
+
+  it "should set the command to :reinit" do
+    @cmd.execute(["--reinit"],true)
+    @cmd.command.should == :reinit
+  end
+
+  it "should set the command to :upgrade" do
+    @cmd.execute(["--upgrade"],true)
+    @cmd.command.should == :upgrade
+  end
+
+  it "should set the config path and persist" do
+    Shutter::OS.stubs(:version).returns("Unknown")
+    @cmd.execute(["--dir", "/tmp", "--restore", "--persist"],true)
+    @cmd.command.should == :restore
+    @cmd.persist.should == true
+    @cmd.persist_file.should == "/tmp/iptables.rules"
+    @cmd.config_path.should == "/tmp"
+    @cmd.execute(["-d", "/tmp", "--restore", "--persist"],true)
+    @cmd.command.should == :restore
+    @cmd.persist.should == true
+    @cmd.persist_file.should == "/tmp/iptables.rules"
+    @cmd.config_path.should == "/tmp"
+  end
+
+  it "should set the config path and persist with file" do
+    Shutter::OS.stubs(:version).returns("Unknown")
+    @cmd.execute(["--dir", "/tmp", "--restore", "--persist", "/tmp/persistance.file"],true)
+    @cmd.command.should == :restore
+    @cmd.persist.should == true
+    @cmd.persist_file.should == "/tmp/persistance.file"
+    @cmd.config_path.should == "/tmp"
+    @cmd.execute(["-d", "/tmp", "--restore", "--persist", "/tmp/persistance.file"],true)
+    @cmd.command.should == :restore
+    @cmd.persist.should == true
+    @cmd.persist_file.should == "/tmp/persistance.file"
+    @cmd.config_path.should == "/tmp"
+  end
+
 end

data/spec/content_spec.rb

@@ -2,8 +2,8 @@ require File.dirname(__FILE__) + '/spec_helper'
 
 describe "Shutter" do
   it "should have templates for all files" do
-    Shutter::CONFIG_FILES.each do |name|
-      Shutter.constants.include?(:"#{name.upcase.gsub(/\./, "_")}").should == true
+    Shutter::Content::CONFIG_FILES.each do |name|
+      Shutter::Content.constants.include?(:"#{name.upcase.gsub(/\./, "_")}").should == true
     end
   end
 end