shutter 0.0.7 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.md +26 -56
- data/bin/shutter +10 -4
- data/lib/shutter.rb +3 -9
- data/lib/shutter/command_line.rb +86 -104
- data/lib/shutter/content.rb +49 -2
- data/lib/shutter/files.rb +31 -0
- data/lib/shutter/iptables.rb +215 -10
- data/lib/shutter/os.rb +40 -1
- data/lib/shutter/version.rb +1 -1
- data/shutter.gemspec +4 -3
- data/spec/command_line_spec.rb +75 -9
- data/spec/content_spec.rb +2 -2
- data/spec/files/base.ipt +160 -0
- data/spec/files/iface.dmz +4 -0
- data/spec/files/iface.forward +3 -0
- data/spec/files/ip.allow +5 -0
- data/spec/files/ip.deny +5 -0
- data/spec/files/iptables_save.out +86 -0
- data/spec/files/ports.private +2 -0
- data/spec/files/ports.public +3 -0
- data/spec/files_spec.rb +76 -0
- data/spec/iptables_spec.rb +157 -0
- data/spec/os_spec.rb +54 -0
- data/spec/spec_helper.rb +10 -4
- metadata +45 -14
- data/lib/shutter/iptables/base.rb +0 -59
- data/lib/shutter/iptables/eyepee.rb +0 -34
- data/lib/shutter/iptables/forward.rb +0 -47
- data/lib/shutter/iptables/iface.rb +0 -30
- data/lib/shutter/iptables/jail.rb +0 -26
- data/lib/shutter/iptables/port.rb +0 -35
- data/spec/env_spec.rb +0 -17
data/spec/files/base.ipt
ADDED
@@ -0,0 +1,160 @@
|
|
1
|
+
# Generated by Shutter
|
2
|
+
*filter
|
3
|
+
:INPUT DROP [0:0]
|
4
|
+
:FORWARD DROP [0:0]
|
5
|
+
:OUTPUT ACCEPT [0:0]
|
6
|
+
:Dmz - [0:0]
|
7
|
+
:ValidCheck - [0:0]
|
8
|
+
:Jail - [0:0]
|
9
|
+
:Bastards - [0:0]
|
10
|
+
:Public - [0:0]
|
11
|
+
:AllowIP - [0:0]
|
12
|
+
:Allowed - [0:0]
|
13
|
+
:Private - [0:0]
|
14
|
+
:DropJail - [0:0]
|
15
|
+
:DropBastards - [0:0]
|
16
|
+
:DropInvalid - [0:0]
|
17
|
+
:DropScan - [0:0]
|
18
|
+
:DropDDOS - [0:0]
|
19
|
+
# [CHAIN:FAIL2BAN]
|
20
|
+
|
21
|
+
-A INPUT -i lo -j ACCEPT
|
22
|
+
-A INPUT -j Jail
|
23
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
24
|
+
-A INPUT -j ValidCheck
|
25
|
+
-A INPUT -j Dmz
|
26
|
+
-A INPUT -j Bastards
|
27
|
+
-A INPUT -j Public
|
28
|
+
-A INPUT -j AllowIP
|
29
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
30
|
+
-A INPUT -j DROP
|
31
|
+
|
32
|
+
##################################################################
|
33
|
+
# Jail goes here. Jail and any fail2ban chains will be
|
34
|
+
# taken care of dynamically in locker-restore.
|
35
|
+
##################################################################
|
36
|
+
# [RULES:JAIL]
|
37
|
+
|
38
|
+
##################################################################
|
39
|
+
# Validity/Scanning/DDOS checking
|
40
|
+
##################################################################
|
41
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
42
|
+
-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
|
43
|
+
-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
|
44
|
+
-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
|
45
|
+
-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
|
46
|
+
-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
|
47
|
+
-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
|
48
|
+
-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
|
49
|
+
-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
50
|
+
-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
|
51
|
+
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
|
52
|
+
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
|
53
|
+
-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
54
|
+
-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
|
55
|
+
-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
|
56
|
+
-A ValidCheck -p tcp --tcp-option 64 -j DropScan
|
57
|
+
-A ValidCheck -p tcp --tcp-option 128 -j DropScan
|
58
|
+
-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
59
|
+
-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
60
|
+
-A ValidCheck -j RETURN
|
61
|
+
|
62
|
+
##################################################################
|
63
|
+
# DMZ. Read from iface.dmz and added as:
|
64
|
+
# -A INPUT -i <iface> -j ACCEPT
|
65
|
+
##################################################################
|
66
|
+
# [RULES:DMZ]
|
67
|
+
-A Dmz -j RETURN
|
68
|
+
|
69
|
+
##################################################################
|
70
|
+
# All IP address ranges that are permanently banned. If
|
71
|
+
# no IP addresses are given, then all will be assumed that no ip
|
72
|
+
# addresses are banned and create the following rule
|
73
|
+
# -A Bastards -j RETURN
|
74
|
+
# otherwise a list of banned ips will be generated from ip.deny
|
75
|
+
# and will look like this:
|
76
|
+
# -A Bastards -s <ipaddr>/<subnet> -j DropBastards
|
77
|
+
##################################################################
|
78
|
+
# [RULES:BASTARDS]
|
79
|
+
-A Bastards -j RETURN
|
80
|
+
|
81
|
+
##################################################################
|
82
|
+
# A list of authorized ports for the public access. If there are
|
83
|
+
# entries in the ports.public file then they will be added as:
|
84
|
+
# -A Public -m state --state NEW -p <proto> -m <proto> --dport <port> -j ACCEPT
|
85
|
+
##################################################################
|
86
|
+
# [RULES:PUBLIC]
|
87
|
+
-A Public -j RETURN
|
88
|
+
|
89
|
+
##################################################################
|
90
|
+
# All IP address ranges that are allowed to access the ports. If
|
91
|
+
# no IP addresses are given, then all will be assumed and a rule
|
92
|
+
# to jump to the Allowed chain will be created:
|
93
|
+
# -A AllowIP -j Allowed
|
94
|
+
# otherwise a list of allowed ips will be generated from ip.allow
|
95
|
+
# and will look like this:
|
96
|
+
# -A AllowIP -s 129.101.159.128/26 -j Allowed
|
97
|
+
##################################################################
|
98
|
+
# [RULES:ALLOWIP]
|
99
|
+
-A AllowIP -j RETURN
|
100
|
+
|
101
|
+
##################################################################
|
102
|
+
# Allowed. If a packet has met all the requirements it will end
|
103
|
+
# up here. This should be a static chain.
|
104
|
+
##################################################################
|
105
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
106
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
107
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
108
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
109
|
+
-A Allowed -j Private
|
110
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
111
|
+
-A Allowed -j ACCEPT
|
112
|
+
|
113
|
+
##################################################################
|
114
|
+
# A list of authorized ports for the allowed IPs. If there are
|
115
|
+
# entries in the ports.private file then they will be added as:
|
116
|
+
# -A Private -m state --state NEW -p <proto> -m <proto> --dport <port> -j RETURN
|
117
|
+
##################################################################
|
118
|
+
# [RULES:PRIVATE]
|
119
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
120
|
+
-A Private -j DROP
|
121
|
+
|
122
|
+
##################################################################
|
123
|
+
# Log and Drops
|
124
|
+
##################################################################
|
125
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
126
|
+
-A DropJail -j DROP
|
127
|
+
|
128
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
129
|
+
-A DropBastards -j DROP
|
130
|
+
|
131
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
132
|
+
-A DropInvalid -j DROP
|
133
|
+
|
134
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
135
|
+
-A DropScan -j DROP
|
136
|
+
|
137
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
138
|
+
-A DropDDOS -j DROP
|
139
|
+
|
140
|
+
##################################################################
|
141
|
+
# NATing
|
142
|
+
##################################################################
|
143
|
+
# [RULES:FORWARD]
|
144
|
+
-A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
|
145
|
+
-A FORWARD -j DROP
|
146
|
+
|
147
|
+
##################################################################
|
148
|
+
# Add any additional rules that fail2ban has added
|
149
|
+
##################################################################
|
150
|
+
# [RULES:FAIL2BAN]
|
151
|
+
|
152
|
+
COMMIT
|
153
|
+
|
154
|
+
*nat
|
155
|
+
:PREROUTING ACCEPT [0:0]
|
156
|
+
:POSTROUTING ACCEPT [0:0]
|
157
|
+
:OUTPUT ACCEPT [0:0]
|
158
|
+
# [RULES:POSTROUTING]
|
159
|
+
COMMIT
|
160
|
+
|
data/spec/files/ip.allow
ADDED
data/spec/files/ip.deny
ADDED
@@ -0,0 +1,86 @@
|
|
1
|
+
# Generated by iptables-save v1.4.7 on Sat Sep 29 14:34:04 2012
|
2
|
+
*filter
|
3
|
+
:INPUT DROP [0:0]
|
4
|
+
:FORWARD DROP [0:0]
|
5
|
+
:OUTPUT ACCEPT [3763472:853134022]
|
6
|
+
:AllowIP - [0:0]
|
7
|
+
:Allowed - [0:0]
|
8
|
+
:Bastards - [0:0]
|
9
|
+
:Dmz - [0:0]
|
10
|
+
:DropBastards - [0:0]
|
11
|
+
:DropDDOS - [0:0]
|
12
|
+
:DropInvalid - [0:0]
|
13
|
+
:DropJail - [0:0]
|
14
|
+
:DropScan - [0:0]
|
15
|
+
:Jail - [0:0]
|
16
|
+
:Private - [0:0]
|
17
|
+
:Public - [0:0]
|
18
|
+
:ValidCheck - [0:0]
|
19
|
+
:fail2ban-SSH - [0:0]
|
20
|
+
-A INPUT -i lo -j ACCEPT
|
21
|
+
-A INPUT -j Jail
|
22
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
23
|
+
-A INPUT -j ValidCheck
|
24
|
+
-A INPUT -j Dmz
|
25
|
+
-A INPUT -j Bastards
|
26
|
+
-A INPUT -j Public
|
27
|
+
-A INPUT -j AllowIP
|
28
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
29
|
+
-A INPUT -j DROP
|
30
|
+
-A AllowIP -s 192.168.0.0/16 -m state --state NEW -j Allowed
|
31
|
+
-A AllowIP -s 172.16.0.0/12 -m state --state NEW -j Allowed
|
32
|
+
-A AllowIP -s 10.0.0.0/8 -m state --state NEW -j Allowed
|
33
|
+
-A AllowIP -s 129.101.159.128/26 -m state --state NEW -j Allowed
|
34
|
+
-A AllowIP -s 129.101.142.128/26 -m state --state NEW -j Allowed
|
35
|
+
-A AllowIP -s 129.101.170.53/32 -m state --state NEW -j Allowed
|
36
|
+
-A AllowIP -s 129.101.112.0/24 -m state --state NEW -j Allowed
|
37
|
+
-A AllowIP -j RETURN
|
38
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
39
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
40
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
41
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
42
|
+
-A Allowed -j Private
|
43
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
44
|
+
-A Allowed -j ACCEPT
|
45
|
+
-A Bastards -j RETURN
|
46
|
+
-A Dmz -i eth0 -j ACCEPT
|
47
|
+
-A Dmz -j RETURN
|
48
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
49
|
+
-A DropBastards -j DROP
|
50
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
51
|
+
-A DropDDOS -j DROP
|
52
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
53
|
+
-A DropInvalid -j DROP
|
54
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
55
|
+
-A DropJail -j DROP
|
56
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
57
|
+
-A DropScan -j DROP
|
58
|
+
-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
|
59
|
+
-A Jail -j RETURN
|
60
|
+
-A Private -p tcp -m state --state NEW -m tcp --dport 22 -j RETURN
|
61
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
62
|
+
-A Private -j DROP
|
63
|
+
-A Public -j RETURN
|
64
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
65
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
|
66
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DropScan
|
67
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DropScan
|
68
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DropScan
|
69
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DropScan
|
70
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DropScan
|
71
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags ACK,URG URG -j DropScan
|
72
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
73
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DropScan
|
74
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
|
75
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DropScan
|
76
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
77
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DropScan
|
78
|
+
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DropScan
|
79
|
+
-A ValidCheck -p tcp -m tcp --tcp-option 64 -j DropScan
|
80
|
+
-A ValidCheck -p tcp -m tcp --tcp-option 128 -j DropScan
|
81
|
+
-A ValidCheck -p tcp -m tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
82
|
+
-A ValidCheck -p udp -m udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
83
|
+
-A ValidCheck -j RETURN
|
84
|
+
-A fail2ban-SSH -j RETURN
|
85
|
+
COMMIT
|
86
|
+
# Completed on Sat Sep 29 14:34:04 2012
|
data/spec/files_spec.rb
ADDED
@@ -0,0 +1,76 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/spec_helper'
|
2
|
+
require 'fileutils'
|
3
|
+
|
4
|
+
describe "Shutter::Files" do
|
5
|
+
it "should create the configuration directory if it does not exist" do
|
6
|
+
Shutter::Files.create_config_dir('./tmp/configs')
|
7
|
+
File.directory?('./tmp/configs').should == true
|
8
|
+
FileUtils.rm_rf('./tmp/configs')
|
9
|
+
end
|
10
|
+
|
11
|
+
it "should not recursively create the configuration directory if the parent does not exist" do
|
12
|
+
expect { Shutter::Files.create_config_dir('./tmp/configs/this') }.to raise_error
|
13
|
+
end
|
14
|
+
|
15
|
+
it "should include the templates for all files" do
|
16
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
17
|
+
Shutter::Files.constants.include?(:"#{name.upcase.gsub(/\./, "_")}").should == true
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should create the files in the configuration directory if they do not exist" do
|
22
|
+
Shutter::Files.create_config_dir('./spec/tmp')
|
23
|
+
Shutter::Files.create('./spec/tmp')
|
24
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
25
|
+
File.exists?("./spec/tmp/#{name}")
|
26
|
+
File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
27
|
+
end
|
28
|
+
FileUtils.rm_rf('./spec/tmp')
|
29
|
+
end
|
30
|
+
|
31
|
+
it "should not touch the configs when they already exist" do
|
32
|
+
Shutter::Files.create_config_dir('./spec/tmp')
|
33
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
34
|
+
FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
|
35
|
+
end
|
36
|
+
Shutter::Files.create('./spec/tmp')
|
37
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
38
|
+
File.exists?("./spec/tmp/#{name}")
|
39
|
+
unless name == "base.ipt"
|
40
|
+
File.read("./spec/tmp/#{name}").should_not == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
41
|
+
end
|
42
|
+
end
|
43
|
+
FileUtils.rm_rf('./spec/tmp')
|
44
|
+
end
|
45
|
+
|
46
|
+
it "should overwrite the configs when overwrite is specified" do
|
47
|
+
Shutter::Files.create_config_dir('./spec/tmp')
|
48
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
49
|
+
FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
|
50
|
+
end
|
51
|
+
Shutter::Files.create('./spec/tmp',true)
|
52
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
53
|
+
File.exists?("./spec/tmp/#{name}")
|
54
|
+
File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
55
|
+
end
|
56
|
+
FileUtils.rm_rf('./spec/tmp')
|
57
|
+
end
|
58
|
+
|
59
|
+
it "should overwrite the configs when overwrite false but there are exceptions" do
|
60
|
+
Shutter::Files.create_config_dir('./spec/tmp')
|
61
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
62
|
+
FileUtils.copy("./spec/files/#{name}", "./spec/tmp/#{name}")
|
63
|
+
end
|
64
|
+
except = ['iface.forward','base.ipt']
|
65
|
+
Shutter::Files.create('./spec/tmp',false,except)
|
66
|
+
Shutter::Files::CONFIG_FILES.each do |name|
|
67
|
+
File.exists?("./spec/tmp/#{name}")
|
68
|
+
unless except.include?(name)
|
69
|
+
File.read("./spec/tmp/#{name}").should_not == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
70
|
+
else
|
71
|
+
File.read("./spec/tmp/#{name}").should == Shutter::Files.const_get(:"#{name.upcase.gsub(/\./, "_")}")
|
72
|
+
end
|
73
|
+
end
|
74
|
+
FileUtils.rm_rf('./spec/tmp')
|
75
|
+
end
|
76
|
+
end
|
@@ -0,0 +1,157 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/spec_helper'
|
2
|
+
require 'fileutils'
|
3
|
+
|
4
|
+
describe "Shutter::Firewall::IPTables" do
|
5
|
+
before(:each) do
|
6
|
+
@ipt = Shutter::Firewall::IPTables.new("./spec/files")
|
7
|
+
end
|
8
|
+
|
9
|
+
it "should have the default iptables-restore defined" do
|
10
|
+
@ipt.iptables_restore.should == "/sbin/iptables-restore"
|
11
|
+
end
|
12
|
+
|
13
|
+
it "should return the correct forward block" do
|
14
|
+
@ipt.forward_block.should == %q{-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
15
|
+
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
16
|
+
-A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
17
|
+
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
18
|
+
}
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should return the correct iface postrouting block" do
|
22
|
+
@ipt.postrouting_block.should == %q{-A POSTROUTING -o eth1 -j MASQUERADE
|
23
|
+
-A POSTROUTING -o eth2 -j MASQUERADE
|
24
|
+
}
|
25
|
+
end
|
26
|
+
|
27
|
+
it "should return the correct output for allow_private_port_block" do
|
28
|
+
@ipt.allow_private_port_block.should == %q{-A Private -m state --state NEW -p tcp -m tcp --dport 22 -j RETURN
|
29
|
+
}
|
30
|
+
end
|
31
|
+
|
32
|
+
it "should return the correct output for allow_public_port_block" do
|
33
|
+
@ipt.allow_public_port_block.should == %q{-A Public -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
|
34
|
+
-A Public -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
|
35
|
+
}
|
36
|
+
end
|
37
|
+
|
38
|
+
it "should return the correct output for allow_ip_block" do
|
39
|
+
@ipt.allow_ip_block.should == %q{-A AllowIP -m state --state NEW -s 192.168.0.0/16 -j Allowed
|
40
|
+
-A AllowIP -m state --state NEW -s 10.0.0.1 -j Allowed
|
41
|
+
}
|
42
|
+
end
|
43
|
+
|
44
|
+
it "should return the correct output for deny_ip_block" do
|
45
|
+
@ipt.deny_ip_block.should == %q{-A Bastards -s 172.31.0.0/24 -j DropBastards
|
46
|
+
-A Bastards -s 8.8.9.9 -j DropBastards
|
47
|
+
}
|
48
|
+
end
|
49
|
+
|
50
|
+
it "should return the correct output for dmz_device_block" do
|
51
|
+
@ipt.dmz_device_block.should == %q{-A Dmz -i eth0 -j ACCEPT
|
52
|
+
-A Dmz -i eth1 -j ACCEPT
|
53
|
+
}
|
54
|
+
end
|
55
|
+
|
56
|
+
it "should return the correct output for generate" do
|
57
|
+
iptables_save = File.read("./spec/files/iptables_save.out")
|
58
|
+
@ipt.stubs(:iptables_save).returns(iptables_save)
|
59
|
+
@ipt.generate.should == %q{*filter
|
60
|
+
:INPUT DROP [0:0]
|
61
|
+
:FORWARD DROP [0:0]
|
62
|
+
:OUTPUT ACCEPT [0:0]
|
63
|
+
:Dmz - [0:0]
|
64
|
+
:ValidCheck - [0:0]
|
65
|
+
:Jail - [0:0]
|
66
|
+
:Bastards - [0:0]
|
67
|
+
:Public - [0:0]
|
68
|
+
:AllowIP - [0:0]
|
69
|
+
:Allowed - [0:0]
|
70
|
+
:Private - [0:0]
|
71
|
+
:DropJail - [0:0]
|
72
|
+
:DropBastards - [0:0]
|
73
|
+
:DropInvalid - [0:0]
|
74
|
+
:DropScan - [0:0]
|
75
|
+
:DropDDOS - [0:0]
|
76
|
+
:fail2ban-SSH - [0:0]
|
77
|
+
-A INPUT -i lo -j ACCEPT
|
78
|
+
-A INPUT -j Jail
|
79
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
80
|
+
-A INPUT -j ValidCheck
|
81
|
+
-A INPUT -j Dmz
|
82
|
+
-A INPUT -j Bastards
|
83
|
+
-A INPUT -j Public
|
84
|
+
-A INPUT -j AllowIP
|
85
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
86
|
+
-A INPUT -j DROP
|
87
|
+
-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
|
88
|
+
-A Jail -j RETURN
|
89
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
90
|
+
-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
|
91
|
+
-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
|
92
|
+
-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
|
93
|
+
-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
|
94
|
+
-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
|
95
|
+
-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
|
96
|
+
-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
|
97
|
+
-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
98
|
+
-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
|
99
|
+
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
|
100
|
+
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
|
101
|
+
-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
102
|
+
-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
|
103
|
+
-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
|
104
|
+
-A ValidCheck -p tcp --tcp-option 64 -j DropScan
|
105
|
+
-A ValidCheck -p tcp --tcp-option 128 -j DropScan
|
106
|
+
-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
107
|
+
-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
108
|
+
-A ValidCheck -j RETURN
|
109
|
+
-A Dmz -i eth0 -j ACCEPT
|
110
|
+
-A Dmz -i eth1 -j ACCEPT
|
111
|
+
-A Dmz -j RETURN
|
112
|
+
-A Bastards -s 172.31.0.0/24 -j DropBastards
|
113
|
+
-A Bastards -s 8.8.9.9 -j DropBastards
|
114
|
+
-A Bastards -j RETURN
|
115
|
+
-A Public -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
|
116
|
+
-A Public -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
|
117
|
+
-A Public -j RETURN
|
118
|
+
-A AllowIP -m state --state NEW -s 192.168.0.0/16 -j Allowed
|
119
|
+
-A AllowIP -m state --state NEW -s 10.0.0.1 -j Allowed
|
120
|
+
-A AllowIP -j RETURN
|
121
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
122
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
123
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
124
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
125
|
+
-A Allowed -j Private
|
126
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
127
|
+
-A Allowed -j ACCEPT
|
128
|
+
-A Private -m state --state NEW -p tcp -m tcp --dport 22 -j RETURN
|
129
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
130
|
+
-A Private -j DROP
|
131
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
132
|
+
-A DropJail -j DROP
|
133
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
134
|
+
-A DropBastards -j DROP
|
135
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
136
|
+
-A DropInvalid -j DROP
|
137
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
138
|
+
-A DropScan -j DROP
|
139
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
140
|
+
-A DropDDOS -j DROP
|
141
|
+
-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
142
|
+
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
143
|
+
-A FORWARD -i eth0 -o eth2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
|
144
|
+
-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
145
|
+
-A FORWARD ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bad NAT:"
|
146
|
+
-A FORWARD -j DROP
|
147
|
+
-A fail2ban-SSH -j RETURN
|
148
|
+
COMMIT
|
149
|
+
*nat
|
150
|
+
:PREROUTING ACCEPT [0:0]
|
151
|
+
:POSTROUTING ACCEPT [0:0]
|
152
|
+
:OUTPUT ACCEPT [0:0]
|
153
|
+
-A POSTROUTING -o eth1 -j MASQUERADE
|
154
|
+
-A POSTROUTING -o eth2 -j MASQUERADE
|
155
|
+
COMMIT}
|
156
|
+
end
|
157
|
+
end
|