shutter 0.0.7 → 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +26 -56
- data/bin/shutter +10 -4
- data/lib/shutter.rb +3 -9
- data/lib/shutter/command_line.rb +86 -104
- data/lib/shutter/content.rb +49 -2
- data/lib/shutter/files.rb +31 -0
- data/lib/shutter/iptables.rb +215 -10
- data/lib/shutter/os.rb +40 -1
- data/lib/shutter/version.rb +1 -1
- data/shutter.gemspec +4 -3
- data/spec/command_line_spec.rb +75 -9
- data/spec/content_spec.rb +2 -2
- data/spec/files/base.ipt +160 -0
- data/spec/files/iface.dmz +4 -0
- data/spec/files/iface.forward +3 -0
- data/spec/files/ip.allow +5 -0
- data/spec/files/ip.deny +5 -0
- data/spec/files/iptables_save.out +86 -0
- data/spec/files/ports.private +2 -0
- data/spec/files/ports.public +3 -0
- data/spec/files_spec.rb +76 -0
- data/spec/iptables_spec.rb +157 -0
- data/spec/os_spec.rb +54 -0
- data/spec/spec_helper.rb +10 -4
- metadata +45 -14
- data/lib/shutter/iptables/base.rb +0 -59
- data/lib/shutter/iptables/eyepee.rb +0 -34
- data/lib/shutter/iptables/forward.rb +0 -47
- data/lib/shutter/iptables/iface.rb +0 -30
- data/lib/shutter/iptables/jail.rb +0 -26
- data/lib/shutter/iptables/port.rb +0 -35
- data/spec/env_spec.rb +0 -17
data/spec/files/base.ipt
ADDED
@@ -0,0 +1,160 @@
|
|
1
|
+
# Generated by Shutter
|
2
|
+
*filter
|
3
|
+
:INPUT DROP [0:0]
|
4
|
+
:FORWARD DROP [0:0]
|
5
|
+
:OUTPUT ACCEPT [0:0]
|
6
|
+
:Dmz - [0:0]
|
7
|
+
:ValidCheck - [0:0]
|
8
|
+
:Jail - [0:0]
|
9
|
+
:Bastards - [0:0]
|
10
|
+
:Public - [0:0]
|
11
|
+
:AllowIP - [0:0]
|
12
|
+
:Allowed - [0:0]
|
13
|
+
:Private - [0:0]
|
14
|
+
:DropJail - [0:0]
|
15
|
+
:DropBastards - [0:0]
|
16
|
+
:DropInvalid - [0:0]
|
17
|
+
:DropScan - [0:0]
|
18
|
+
:DropDDOS - [0:0]
|
19
|
+
# [CHAIN:FAIL2BAN]
|
20
|
+
|
21
|
+
-A INPUT -i lo -j ACCEPT
|
22
|
+
-A INPUT -j Jail
|
23
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
24
|
+
-A INPUT -j ValidCheck
|
25
|
+
-A INPUT -j Dmz
|
26
|
+
-A INPUT -j Bastards
|
27
|
+
-A INPUT -j Public
|
28
|
+
-A INPUT -j AllowIP
|
29
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
30
|
+
-A INPUT -j DROP
|
31
|
+
|
32
|
+
##################################################################
|
33
|
+
# Jail goes here. Jail and any fail2ban chains will be
|
34
|
+
# taken care of dynamically in locker-restore.
|
35
|
+
##################################################################
|
36
|
+
# [RULES:JAIL]
|
37
|
+
|
38
|
+
##################################################################
|
39
|
+
# Validity/Scanning/DDOS checking
|
40
|
+
##################################################################
|
41
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
42
|
+
-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
|
43
|
+
-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
|
44
|
+
-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
|
45
|
+
-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
|
46
|
+
-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
|
47
|
+
-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
|
48
|
+
-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
|
49
|
+
-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
50
|
+
-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
|
51
|
+
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
|
52
|
+
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
|
53
|
+
-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
54
|
+
-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
|
55
|
+
-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
|
56
|
+
-A ValidCheck -p tcp --tcp-option 64 -j DropScan
|
57
|
+
-A ValidCheck -p tcp --tcp-option 128 -j DropScan
|
58
|
+
-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
59
|
+
-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
60
|
+
-A ValidCheck -j RETURN
|
61
|
+
|
62
|
+
##################################################################
|
63
|
+
# DMZ. Read from iface.dmz and added as:
|
64
|
+
# -A INPUT -i <iface> -j ACCEPT
|
65
|
+
##################################################################
|
66
|
+
# [RULES:DMZ]
|
67
|
+
-A Dmz -j RETURN
|
68
|
+
|
69
|
+
##################################################################
|
70
|
+
# All IP address ranges that are permanently banned. If
|
71
|
+
# no IP addresses are given, then all will be assumed that no ip
|
72
|
+
# addresses are banned and create the following rule
|
73
|
+
# -A Bastards -j RETURN
|
74
|
+
# otherwise a list of banned ips will be generated from ip.deny
|
75
|
+
# and will look like this:
|
76
|
+
# -A Bastards -s <ipaddr>/<subnet> -j DropBastards
|
77
|
+
##################################################################
|
78
|
+
# [RULES:BASTARDS]
|
79
|
+
-A Bastards -j RETURN
|
80
|
+
|
81
|
+
##################################################################
|
82
|
+
# A list of authorized ports for the public access. If there are
|
83
|
+
# entries in the ports.public file then they will be added as:
|
84
|
+
# -A Public -m state --state NEW -p <proto> -m <proto> --dport <port> -j ACCEPT
|
85
|
+
##################################################################
|
86
|
+
# [RULES:PUBLIC]
|
87
|
+
-A Public -j RETURN
|
88
|
+
|
89
|
+
##################################################################
|
90
|
+
# All IP address ranges that are allowed to access the ports. If
|
91
|
+
# no IP addresses are given, then all will be assumed and a rule
|
92
|
+
# to jump to the Allowed chain will be created:
|
93
|
+
# -A AllowIP -j Allowed
|
94
|
+
# otherwise a list of allowed ips will be generated from ip.allow
|
95
|
+
# and will look like this:
|
96
|
+
# -A AllowIP -s 129.101.159.128/26 -j Allowed
|
97
|
+
##################################################################
|
98
|
+
# [RULES:ALLOWIP]
|
99
|
+
-A AllowIP -j RETURN
|
100
|
+
|
101
|
+
##################################################################
|
102
|
+
# Allowed. If a packet has met all the requirements it will end
|
103
|
+
# up here. This should be a static chain.
|
104
|
+
##################################################################
|
105
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
106
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
107
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
108
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
109
|
+
-A Allowed -j Private
|
110
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
111
|
+
-A Allowed -j ACCEPT
|
112
|
+
|
113
|
+
##################################################################
|
114
|
+
# A list of authorized ports for the allowed IPs. If there are
|
115
|
+
# entries in the ports.private file then they will be added as:
|
116
|
+
# -A Private -m state --state NEW -p <proto> -m <proto> --dport <port> -j RETURN
|
117
|
+
##################################################################
|
118
|
+
# [RULES:PRIVATE]
|
119
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
120
|
+
-A Private -j DROP
|
121
|
+
|
122
|
+
##################################################################
|
123
|
+
# Log and Drops
|
124
|
+
##################################################################
|
125
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
126
|
+
-A DropJail -j DROP
|
127
|
+
|
128
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
129
|
+
-A DropBastards -j DROP
|
130
|
+
|
131
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
132
|
+
-A DropInvalid -j DROP
|
133
|
+
|
134
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
135
|
+
-A DropScan -j DROP
|
136
|
+
|
137
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
138
|
+
-A DropDDOS -j DROP
|
139
|
+
|
140
|
+
##################################################################
|
141
|
+
# NATing
|
142
|
+
##################################################################
|
143
|
+
# [RULES:FORWARD]
|
144
|
+
-A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
|
145
|
+
-A FORWARD -j DROP
|
146
|
+
|
147
|
+
##################################################################
|
148
|
+
# Add any additional rules that fail2ban has added
|
149
|
+
##################################################################
|
150
|
+
# [RULES:FAIL2BAN]
|
151
|
+
|
152
|
+
COMMIT
|
153
|
+
|
154
|
+
*nat
|
155
|
+
:PREROUTING ACCEPT [0:0]
|
156
|
+
:POSTROUTING ACCEPT [0:0]
|
157
|
+
:OUTPUT ACCEPT [0:0]
|
158
|
+
# [RULES:POSTROUTING]
|
159
|
+
COMMIT
|
160
|
+
|
data/spec/files/ip.allow
ADDED
data/spec/files/ip.deny
ADDED
@@ -0,0 +1,86 @@
|
|
1
|
+
# Generated by iptables-save v1.4.7 on Sat Sep 29 14:34:04 2012
|
2
|
+
*filter
|
3
|
+
:INPUT DROP [0:0]
|
4
|
+
:FORWARD DROP [0:0]
|
5
|
+
:OUTPUT ACCEPT [3763472:853134022]
|
6
|
+
:AllowIP - [0:0]
|
7
|
+
:Allowed - [0:0]
|
8
|
+
:Bastards - [0:0]
|
9
|
+
:Dmz - [0:0]
|
10
|
+
:DropBastards - [0:0]
|
11
|
+
:DropDDOS - [0:0]
|
12
|
+
:DropInvalid - [0:0]
|
13
|
+
:DropJail - [0:0]
|
14
|
+
:DropScan - [0:0]
|
15
|
+
:Jail - [0:0]
|
16
|
+
:Private - [0:0]
|
17
|
+
:Public - [0:0]
|
18
|
+
:ValidCheck - [0:0]
|
19
|
+
:fail2ban-SSH - [0:0]
|
20
|
+
-A INPUT -i lo -j ACCEPT
|
21
|
+
-A INPUT -j Jail
|
22
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
23
|
+
-A INPUT -j ValidCheck
|
24
|
+
-A INPUT -j Dmz
|
25
|
+
-A INPUT -j Bastards
|
26
|
+
-A INPUT -j Public
|
27
|
+
-A INPUT -j AllowIP
|
28
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
29
|
+
-A INPUT -j DROP
|
30
|
+
-A AllowIP -s 192.168.0.0/16 -m state --state NEW -j Allowed
|
31
|
+
-A AllowIP -s 172.16.0.0/12 -m state --state NEW -j Allowed
|
32
|
+
-A AllowIP -s 10.0.0.0/8 -m state --state NEW -j Allowed
|
33
|
+
-A AllowIP -s 129.101.159.128/26 -m state --state NEW -j Allowed
|
34
|
+
-A AllowIP -s 129.101.142.128/26 -m state --state NEW -j Allowed
|
35
|
+
-A AllowIP -s 129.101.170.53/32 -m state --state NEW -j Allowed
|
36
|
+
-A AllowIP -s 129.101.112.0/24 -m state --state NEW -j Allowed
|
37
|
+
-A AllowIP -j RETURN
|
38
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
39
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
40
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
41
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
42
|
+
-A Allowed -j Private
|
43
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
44
|
+
-A Allowed -j ACCEPT
|
45
|
+
-A Bastards -j RETURN
|
46
|
+
-A Dmz -i eth0 -j ACCEPT
|
47
|
+
-A Dmz -j RETURN
|
48
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
49
|
+
-A DropBastards -j DROP
|
50
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
51
|
+
-A DropDDOS -j DROP
|
52
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
53
|
+
-A DropInvalid -j DROP
|
54
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
55
|
+
-A DropJail -j DROP
|
56
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
57
|
+
-A DropScan -j DROP
|
58
|
+
-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
|
59
|
+
-A Jail -j RETURN
|
60
|
+
-A Private -p tcp -m state --state NEW -m tcp --dport 22 -j RETURN
|
61
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
62
|
+
-A Private -j DROP
|
63
|
+
-A Public -j RETURN
|
64
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
65
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
|
66
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DropScan
|
67
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DropScan
|
68
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DropScan
|
69
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DropScan
|
70
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DropScan
|
71
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags ACK,URG URG -j DropScan
|
72
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
73
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DropScan
|
74
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
|
75
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DropScan
|
76
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
77
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DropScan
|
78
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DropScan
|
79
|
+
-A ValidCheck -p tcp -m tcp --tcp-option 64 -j DropScan
|
80
|
+
-A ValidCheck -p tcp -m tcp --tcp-option 128 -j DropScan
|
81
|
+
-A ValidCheck -p tcp -m tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
82
|
+
-A ValidCheck -p udp -m udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
83
|
+
-A ValidCheck -j RETURN
|
84
|
+
-A fail2ban-SSH -j RETURN
|
85
|
+
COMMIT
|
86
|
+
# Completed on Sat Sep 29 14:34:04 2012
|
data/spec/files_spec.rb
ADDED
@@ -0,0 +1,76 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/spec_helper'
|
2
|
+
require 'fileutils'
|
3
|
+
|
4
|
+
describe "Shutter::Files" do
|
5
|
+
it "should create the configuration directory if it does not exist" do
|
6
|
+
Shutter::Files.create_config_dir('./tmp/configs')
|
7
|
+
File.directory?('./tmp/configs').should == true
|
8
|
+
FileUtils.rm_rf('./tmp/configs')
|
9
|
+
end
|
10
|
+
|
11
|
+
it "should not recursively create the configuration directory if the parent does not exist" do
|
12
|
+
expect { Shutter::Files.create_config_dir('./tmp/configs/this') }.to raise_error
|
13
|
+
end
|
14
|
+
|
15
|
+
it "should include the templates for all files" do
|
16
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
17
|
+
Shutter::Files.constants.include?(:"#{name.upcase.gsub(/\./, "_")}").should == true
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should create the files in the configuration directory if they do not exist" do
|
22
|
+
Shutter::Files.create_config_dir('./spec/tmp')
|
23
|
+
Shutter::Files.create('./spec/tmp')
|
24
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
25
|
+
File.exists?("./spec/tmp/#{name}")
|
26
|
+
File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
27
|
+
end
|
28
|
+
FileUtils.rm_rf('./spec/tmp')
|
29
|
+
end
|
30
|
+
|
31
|
+
it "should not touch the configs when they already exist" do
|
32
|
+
Shutter::Files.create_config_dir('./spec/tmp')
|
33
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
34
|
+
FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
|
35
|
+
end
|
36
|
+
Shutter::Files.create('./spec/tmp')
|
37
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
38
|
+
File.exists?("./spec/tmp/#{name}")
|
39
|
+
unless name == "base.ipt"
|
40
|
+
File.read("./spec/tmp/#{name}").should_not == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
41
|
+
end
|
42
|
+
end
|
43
|
+
FileUtils.rm_rf('./spec/tmp')
|
44
|
+
end
|
45
|
+
|
46
|
+
it "should overwrite the configs when overwrite is specified" do
|
47
|
+
Shutter::Files.create_config_dir('./spec/tmp')
|
48
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
49
|
+
FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
|
50
|
+
end
|
51
|
+
Shutter::Files.create('./spec/tmp',true)
|
52
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
53
|
+
File.exists?("./spec/tmp/#{name}")
|
54
|
+
File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
55
|
+
end
|
56
|
+
FileUtils.rm_rf('./spec/tmp')
|
57
|
+
end
|
58
|
+
|
59
|
+
it "should overwrite the configs when overwrite false but there are exceptions" do
|
60
|
+
Shutter::Files.create_config_dir('./spec/tmp')
|
61
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
62
|
+
FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
|
63
|
+
end
|
64
|
+
except = ['iface.forward','base.ipt']
|
65
|
+
Shutter::Files.create('./spec/tmp',false,except)
|
66
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
67
|
+
File.exists?("./spec/tmp/#{name}")
|
68
|
+
unless except.include?(name)
|
69
|
+
File.read("./spec/tmp/#{name}").should_not == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
70
|
+
else
|
71
|
+
File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
72
|
+
end
|
73
|
+
end
|
74
|
+
FileUtils.rm_rf('./spec/tmp')
|
75
|
+
end
|
76
|
+
end
|
@@ -0,0 +1,157 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/spec_helper'
|
2
|
+
require 'fileutils'
|
3
|
+
|
4
|
+
describe "Shutter::Firewall::IPTables" do
|
5
|
+
before(:each) do
|
6
|
+
@ipt = Shutter::Firewall::IPTables.new("./spec/files")
|
7
|
+
end
|
8
|
+
|
9
|
+
it "should have the default iptables-restore defined" do
|
10
|
+
@ipt.iptables_restore.should == "/sbin/iptables-restore"
|
11
|
+
end
|
12
|
+
|
13
|
+
it "should return the correct forward block" do
|
14
|
+
@ipt.forward_block.should == %q{-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
15
|
+
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
16
|
+
-A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
17
|
+
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
18
|
+
}
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should return the correct iface postrouting block" do
|
22
|
+
@ipt.postrouting_block.should == %q{-A POSTROUTING -o eth1 -j MASQUERADE
|
23
|
+
-A POSTROUTING -o eth2 -j MASQUERADE
|
24
|
+
}
|
25
|
+
end
|
26
|
+
|
27
|
+
it "should return the correct output for allow_private_port_block" do
|
28
|
+
@ipt.allow_private_port_block.should == %q{-A Private -m state --state NEW -p tcp -m tcp --dport 22 -j RETURN
|
29
|
+
}
|
30
|
+
end
|
31
|
+
|
32
|
+
it "should return the correct output for allow_public_port_block" do
|
33
|
+
@ipt.allow_public_port_block.should == %q{-A Public -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
|
34
|
+
-A Public -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
|
35
|
+
}
|
36
|
+
end
|
37
|
+
|
38
|
+
it "should return the correct output for allow_ip_block" do
|
39
|
+
@ipt.allow_ip_block.should == %q{-A AllowIP -m state --state NEW -s 192.168.0.0/16 -j Allowed
|
40
|
+
-A AllowIP -m state --state NEW -s 10.0.0.1 -j Allowed
|
41
|
+
}
|
42
|
+
end
|
43
|
+
|
44
|
+
it "should return the correct output for deny_ip_block" do
|
45
|
+
@ipt.deny_ip_block.should == %q{-A Bastards -s 172.31.0.0/24 -j DropBastards
|
46
|
+
-A Bastards -s 8.8.9.9 -j DropBastards
|
47
|
+
}
|
48
|
+
end
|
49
|
+
|
50
|
+
it "should return the correct output for dmz_device_block" do
|
51
|
+
@ipt.dmz_device_block.should == %q{-A Dmz -i eth0 -j ACCEPT
|
52
|
+
-A Dmz -i eth1 -j ACCEPT
|
53
|
+
}
|
54
|
+
end
|
55
|
+
|
56
|
+
it "should return the correct output for generate" do
|
57
|
+
iptables_save = File.read("./spec/files/iptables_save.out")
|
58
|
+
@ipt.stubs(:iptables_save).returns(iptables_save)
|
59
|
+
@ipt.generate.should == %q{*filter
|
60
|
+
:INPUT DROP [0:0]
|
61
|
+
:FORWARD DROP [0:0]
|
62
|
+
:OUTPUT ACCEPT [0:0]
|
63
|
+
:Dmz - [0:0]
|
64
|
+
:ValidCheck - [0:0]
|
65
|
+
:Jail - [0:0]
|
66
|
+
:Bastards - [0:0]
|
67
|
+
:Public - [0:0]
|
68
|
+
:AllowIP - [0:0]
|
69
|
+
:Allowed - [0:0]
|
70
|
+
:Private - [0:0]
|
71
|
+
:DropJail - [0:0]
|
72
|
+
:DropBastards - [0:0]
|
73
|
+
:DropInvalid - [0:0]
|
74
|
+
:DropScan - [0:0]
|
75
|
+
:DropDDOS - [0:0]
|
76
|
+
:fail2ban-SSH - [0:0]
|
77
|
+
-A INPUT -i lo -j ACCEPT
|
78
|
+
-A INPUT -j Jail
|
79
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
80
|
+
-A INPUT -j ValidCheck
|
81
|
+
-A INPUT -j Dmz
|
82
|
+
-A INPUT -j Bastards
|
83
|
+
-A INPUT -j Public
|
84
|
+
-A INPUT -j AllowIP
|
85
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
86
|
+
-A INPUT -j DROP
|
87
|
+
-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
|
88
|
+
-A Jail -j RETURN
|
89
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
90
|
+
-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
|
91
|
+
-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
|
92
|
+
-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
|
93
|
+
-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
|
94
|
+
-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
|
95
|
+
-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
|
96
|
+
-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
|
97
|
+
-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
98
|
+
-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
|
99
|
+
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
|
100
|
+
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
|
101
|
+
-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
102
|
+
-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
|
103
|
+
-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
|
104
|
+
-A ValidCheck -p tcp --tcp-option 64 -j DropScan
|
105
|
+
-A ValidCheck -p tcp --tcp-option 128 -j DropScan
|
106
|
+
-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
107
|
+
-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
108
|
+
-A ValidCheck -j RETURN
|
109
|
+
-A Dmz -i eth0 -j ACCEPT
|
110
|
+
-A Dmz -i eth1 -j ACCEPT
|
111
|
+
-A Dmz -j RETURN
|
112
|
+
-A Bastards -s 172.31.0.0/24 -j DropBastards
|
113
|
+
-A Bastards -s 8.8.9.9 -j DropBastards
|
114
|
+
-A Bastards -j RETURN
|
115
|
+
-A Public -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
|
116
|
+
-A Public -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
|
117
|
+
-A Public -j RETURN
|
118
|
+
-A AllowIP -m state --state NEW -s 192.168.0.0/16 -j Allowed
|
119
|
+
-A AllowIP -m state --state NEW -s 10.0.0.1 -j Allowed
|
120
|
+
-A AllowIP -j RETURN
|
121
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
122
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
123
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
124
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
125
|
+
-A Allowed -j Private
|
126
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
127
|
+
-A Allowed -j ACCEPT
|
128
|
+
-A Private -m state --state NEW -p tcp -m tcp --dport 22 -j RETURN
|
129
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
130
|
+
-A Private -j DROP
|
131
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
132
|
+
-A DropJail -j DROP
|
133
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
134
|
+
-A DropBastards -j DROP
|
135
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
136
|
+
-A DropInvalid -j DROP
|
137
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
138
|
+
-A DropScan -j DROP
|
139
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
140
|
+
-A DropDDOS -j DROP
|
141
|
+
-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
142
|
+
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
143
|
+
-A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
144
|
+
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
145
|
+
-A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
|
146
|
+
-A FORWARD -j DROP
|
147
|
+
-A fail2ban-SSH -j RETURN
|
148
|
+
COMMIT
|
149
|
+
*nat
|
150
|
+
:PREROUTING ACCEPT [0:0]
|
151
|
+
:POSTROUTING ACCEPT [0:0]
|
152
|
+
:OUTPUT ACCEPT [0:0]
|
153
|
+
-A POSTROUTING -o eth1 -j MASQUERADE
|
154
|
+
-A POSTROUTING -o eth2 -j MASQUERADE
|
155
|
+
COMMIT}
|
156
|
+
end
|
157
|
+
end
|