shutter 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.travis.yml +5 -0
- data/README.md +10 -1
- data/lib/shutter/command_line.rb +16 -3
- data/lib/shutter/content.rb +1 -19
- data/lib/shutter/iptables.rb +21 -0
- data/lib/shutter/version.rb +1 -1
- data/shutter.gemspec +1 -0
- data/spec/command_line_spec.rb +26 -12
- data/spec/content_spec.rb +1 -1
- data/spec/files/iptables_save.out +1 -19
- data/spec/files/iptables_save_bare.out +60 -0
- data/spec/files/iptables_save_extrarules.out +68 -0
- data/spec/files_spec.rb +15 -5
- data/spec/iptables_spec.rb +12 -0
- data/spec/spec_helper.rb +1 -1
- metadata +91 -66
data/.travis.yml
ADDED
data/README.md
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
# Shutter
|
2
2
|
|
3
|
+
[](http://travis-ci.org/rlyon/shutter)
|
4
|
+
|
3
5
|
Shutter is a tool that gives system administrators the ability to manage
|
4
6
|
iptables firewall settings through simple lists instead of complex iptables commands, making it
|
5
7
|
easier to define host and service firewall setting with configuration management tools. Please note:
|
@@ -52,7 +54,7 @@ access 'on-the-fly'. To work correctly, you configure fail2ban to use the Jail
|
|
52
54
|
INPUT. The dynamic rules that fail2ban has created in the jail chain remain persistant when
|
53
55
|
shutter is 'restored' or reloaded.
|
54
56
|
|
55
|
-
#### To
|
57
|
+
#### To show your firewall rules you can run:
|
56
58
|
|
57
59
|
$ shutter --save
|
58
60
|
|
@@ -67,6 +69,13 @@ This command uses 'iptables-restore' under the hood to update the firewall. You
|
|
67
69
|
to make the changes permanent and survive reboots. Persist can optionally take an argument which defines the location of the
|
68
70
|
persist file if it is in a non-standard location.
|
69
71
|
|
72
|
+
|
73
|
+
#### To check your current firewall rules generated by 'iptables-save' against the ones shutter will generate, use:
|
74
|
+
|
75
|
+
$ shutter --check
|
76
|
+
|
77
|
+
The command will generate 'OK' if the rules and chains match and 'MISMATCH' if there is any variance.
|
78
|
+
|
70
79
|
#### Command line options
|
71
80
|
Usage: shutter [options]
|
72
81
|
--init Create the initial configuration files.
|
data/lib/shutter/command_line.rb
CHANGED
@@ -6,13 +6,16 @@ module Shutter
|
|
6
6
|
DISPLAY_OPTS_REINIT = %q{Rereate the initial configuration files.}
|
7
7
|
DISPLAY_OPTS_UPGRADE = %q{Upgrade the configuration files that have changes with a new version.}
|
8
8
|
DISPLAY_OPTS_DIR = %q{Set the directory for configuration files. Default is /etc/shutter.d.}
|
9
|
-
DISPLAY_OPTS_SAVE = %q{Output the firewall to stdout. This is the default behavior.}
|
10
|
-
DISPLAY_OPTS_RESTORE = %q{Restore the firewall through iptables-restore.}
|
11
|
-
DISPLAY_OPTS_PERSIST = %q{Write the firewall to the persistance file. If an argument is given, it will be used as the persistance file}
|
9
|
+
DISPLAY_OPTS_SAVE = %q{Output the firewall rules to stdout. This is the default behavior.}
|
10
|
+
DISPLAY_OPTS_RESTORE = %q{Restore the firewall rules through iptables-restore.}
|
11
|
+
DISPLAY_OPTS_PERSIST = %q{Write the firewall to the persistance file. If an argument is given, it will be used as the persistance file.}
|
12
|
+
DISPLAY_OPTS_CHECK = %q{Check to see if the generated rules match the current firewall rules.}
|
12
13
|
DISPLAY_OPTS_DEBUG = %q{Turn on debugging for extra output.}
|
13
14
|
DISPLAY_OPTS_HELP = %q{Display help and exit.}
|
14
15
|
DISPLAY_OPTS_VERSION = %q{Display version and exit.}
|
15
16
|
|
17
|
+
attr_reader :os
|
18
|
+
|
16
19
|
def initialize( path = "/etc/shutter.d")
|
17
20
|
@config_path = path
|
18
21
|
@os = Shutter::OS.new
|
@@ -71,6 +74,10 @@ module Shutter
|
|
71
74
|
@persist = true
|
72
75
|
@persist_file = file || persist_file
|
73
76
|
end
|
77
|
+
# Check the generated rules against the current rules
|
78
|
+
opts.on( '-c', "--check", DISPLAY_OPTS_PERSIST) do |file|
|
79
|
+
@command = :check
|
80
|
+
end
|
74
81
|
# Sets the directory for configuration files
|
75
82
|
opts.on( '-d', '--dir DIR', DISPLAY_OPTS_DIR) do |dir|
|
76
83
|
@config_path = dir
|
@@ -111,6 +118,12 @@ module Shutter
|
|
111
118
|
firewall.restore
|
112
119
|
puts "Writing to #{persist_file}" if persist
|
113
120
|
firewall.persist(persist_file) if persist
|
121
|
+
when :check
|
122
|
+
if firewall.check
|
123
|
+
puts "OK"
|
124
|
+
else
|
125
|
+
puts "MISMATCH"
|
126
|
+
end
|
114
127
|
end
|
115
128
|
end
|
116
129
|
end
|
data/lib/shutter/content.rb
CHANGED
@@ -48,27 +48,9 @@ BASE_IPT = %q{# Generated by Shutter
|
|
48
48
|
# [RULES:JAIL]
|
49
49
|
|
50
50
|
##################################################################
|
51
|
-
# Validity
|
51
|
+
# Validity checking
|
52
52
|
##################################################################
|
53
53
|
-A ValidCheck -m state --state INVALID -j DropInvalid
|
54
|
-
-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
|
55
|
-
-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
|
56
|
-
-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
|
57
|
-
-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
|
58
|
-
-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
|
59
|
-
-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
|
60
|
-
-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
|
61
|
-
-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
62
|
-
-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
|
63
|
-
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
|
64
|
-
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
|
65
|
-
-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
66
|
-
-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
|
67
|
-
-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
|
68
|
-
-A ValidCheck -p tcp --tcp-option 64 -j DropScan
|
69
|
-
-A ValidCheck -p tcp --tcp-option 128 -j DropScan
|
70
|
-
-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
71
|
-
-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
72
54
|
-A ValidCheck -j RETURN
|
73
55
|
|
74
56
|
##################################################################
|
data/lib/shutter/iptables.rb
CHANGED
@@ -96,6 +96,16 @@ module Shutter
|
|
96
96
|
"#{@os.iptables_restore}"
|
97
97
|
end
|
98
98
|
|
99
|
+
###
|
100
|
+
### Check to see if base and iptables-save content match
|
101
|
+
###
|
102
|
+
def check
|
103
|
+
gen_rules = filter_and_sort(generate)
|
104
|
+
ips_rules = filter_and_sort(iptables_save)
|
105
|
+
extra_rules = ips_rules - gen_rules
|
106
|
+
extra_rules.empty?
|
107
|
+
end
|
108
|
+
|
99
109
|
###
|
100
110
|
### Block Generation
|
101
111
|
###
|
@@ -213,6 +223,17 @@ module Shutter
|
|
213
223
|
"-A Dmz -i #{iface} -j ACCEPT\n"
|
214
224
|
end
|
215
225
|
|
226
|
+
private
|
227
|
+
###
|
228
|
+
### Filter and sort iptables-save for checking
|
229
|
+
###
|
230
|
+
def filter_and_sort(content)
|
231
|
+
filtered = content.scan(/^[:-].*$/).sort
|
232
|
+
# Make sure that we remove (gsub) the counts on the chains and remove any
|
233
|
+
# trailing whitespace and newlines
|
234
|
+
filtered.map {|x| x.gsub(/\ \[.*\]/,"").strip}
|
235
|
+
end
|
236
|
+
|
216
237
|
end
|
217
238
|
end
|
218
239
|
end
|
data/lib/shutter/version.rb
CHANGED
data/shutter.gemspec
CHANGED
@@ -19,6 +19,7 @@ Gem::Specification.new do |gem|
|
|
19
19
|
gem.name = "shutter"
|
20
20
|
gem.require_paths = ["lib"]
|
21
21
|
gem.version = Shutter::VERSION
|
22
|
+
gem.add_development_dependency "rake"
|
22
23
|
gem.add_development_dependency('rspec')
|
23
24
|
gem.add_development_dependency('mocha')
|
24
25
|
gem.add_development_dependency('simplecov')
|
data/spec/command_line_spec.rb
CHANGED
@@ -2,9 +2,16 @@ require File.dirname(__FILE__) + '/spec_helper'
|
|
2
2
|
|
3
3
|
describe "Shutter::CommandLine" do
|
4
4
|
before(:each) do
|
5
|
+
FileUtils.mkdir("./tmp")
|
6
|
+
Shutter::Files.create("./tmp")
|
5
7
|
@cmd = Shutter::CommandLine.new("./tmp")
|
6
8
|
end
|
7
9
|
|
10
|
+
after(:each) do
|
11
|
+
FileUtils.rm Dir.glob('./tmp/*')
|
12
|
+
FileUtils.rmdir("./tmp")
|
13
|
+
end
|
14
|
+
|
8
15
|
it "should not raise exception when firewall is called" do
|
9
16
|
expect { @cmd.firewall }.to_not raise_error
|
10
17
|
end
|
@@ -36,6 +43,13 @@ describe "Shutter::CommandLine" do
|
|
36
43
|
@cmd.persist.should == true
|
37
44
|
end
|
38
45
|
|
46
|
+
it "should set the command to :check" do
|
47
|
+
@cmd.execute(["--check"],true)
|
48
|
+
@cmd.command.should == :check
|
49
|
+
@cmd.execute(["-c"],true)
|
50
|
+
@cmd.command.should == :check
|
51
|
+
end
|
52
|
+
|
39
53
|
it "should set the command to :init" do
|
40
54
|
@cmd.execute(["--init"],true)
|
41
55
|
@cmd.command.should == :init
|
@@ -52,31 +66,31 @@ describe "Shutter::CommandLine" do
|
|
52
66
|
end
|
53
67
|
|
54
68
|
it "should set the config path and persist" do
|
55
|
-
|
56
|
-
@cmd.execute(["--dir", "
|
69
|
+
@cmd.os.stubs(:version).returns("Unknown")
|
70
|
+
@cmd.execute(["--dir", "./tmp", "--restore", "--persist"],true)
|
57
71
|
@cmd.command.should == :restore
|
58
72
|
@cmd.persist.should == true
|
59
73
|
@cmd.persist_file.should == "/tmp/iptables.rules"
|
60
|
-
@cmd.config_path.should == "
|
61
|
-
@cmd.execute(["-d", "
|
74
|
+
@cmd.config_path.should == "./tmp"
|
75
|
+
@cmd.execute(["-d", "./tmp", "--restore", "--persist"],true)
|
62
76
|
@cmd.command.should == :restore
|
63
77
|
@cmd.persist.should == true
|
64
78
|
@cmd.persist_file.should == "/tmp/iptables.rules"
|
65
|
-
@cmd.config_path.should == "
|
79
|
+
@cmd.config_path.should == "./tmp"
|
66
80
|
end
|
67
81
|
|
68
82
|
it "should set the config path and persist with file" do
|
69
|
-
|
70
|
-
@cmd.execute(["--dir", "
|
83
|
+
@cmd.os.stubs(:version).returns("Unknown")
|
84
|
+
@cmd.execute(["--dir", "./tmp", "--restore", "--persist", "./tmp/persistance.file"],true)
|
71
85
|
@cmd.command.should == :restore
|
72
86
|
@cmd.persist.should == true
|
73
|
-
@cmd.persist_file.should == "
|
74
|
-
@cmd.config_path.should == "
|
75
|
-
@cmd.execute(["-d", "
|
87
|
+
@cmd.persist_file.should == "./tmp/persistance.file"
|
88
|
+
@cmd.config_path.should == "./tmp"
|
89
|
+
@cmd.execute(["-d", "./tmp", "--restore", "--persist", "./tmp/persistance.file"],true)
|
76
90
|
@cmd.command.should == :restore
|
77
91
|
@cmd.persist.should == true
|
78
|
-
@cmd.persist_file.should == "
|
79
|
-
@cmd.config_path.should == "
|
92
|
+
@cmd.persist_file.should == "./tmp/persistance.file"
|
93
|
+
@cmd.config_path.should == "./tmp"
|
80
94
|
end
|
81
95
|
|
82
96
|
end
|
data/spec/content_spec.rb
CHANGED
@@ -3,7 +3,7 @@ require File.dirname(__FILE__) + '/spec_helper'
|
|
3
3
|
describe "Shutter" do
|
4
4
|
it "should have templates for all files" do
|
5
5
|
Shutter::Content::CONFIG_FILES.each do |name|
|
6
|
-
Shutter::Content.
|
6
|
+
Shutter::Content.const_defined?(:"#{name.upcase.gsub(/\./, "_")}").should == true
|
7
7
|
end
|
8
8
|
end
|
9
9
|
end
|
@@ -61,25 +61,7 @@
|
|
61
61
|
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
62
62
|
-A Private -j DROP
|
63
63
|
-A Public -j RETURN
|
64
|
-
-A ValidCheck -m state --state INVALID -j DropInvalid
|
65
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
|
66
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DropScan
|
67
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DropScan
|
68
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DropScan
|
69
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DropScan
|
70
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DropScan
|
71
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags ACK,URG URG -j DropScan
|
72
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
73
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DropScan
|
74
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
|
75
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DropScan
|
76
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
77
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DropScan
|
78
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DropScan
|
79
|
-
-A ValidCheck -p tcp -m tcp --tcp-option 64 -j DropScan
|
80
|
-
-A ValidCheck -p tcp -m tcp --tcp-option 128 -j DropScan
|
81
|
-
-A ValidCheck -p tcp -m tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
82
|
-
-A ValidCheck -p udp -m udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
64
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
83
65
|
-A ValidCheck -j RETURN
|
84
66
|
-A fail2ban-SSH -j RETURN
|
85
67
|
COMMIT
|
@@ -0,0 +1,60 @@
|
|
1
|
+
# Generated by iptables-save v1.4.7 on Sat Sep 29 14:34:04 2012
|
2
|
+
*filter
|
3
|
+
:INPUT DROP [0:0]
|
4
|
+
:FORWARD DROP [0:0]
|
5
|
+
:OUTPUT ACCEPT [3763472:853134022]
|
6
|
+
:AllowIP - [0:0]
|
7
|
+
:Allowed - [0:0]
|
8
|
+
:Bastards - [0:0]
|
9
|
+
:Dmz - [0:0]
|
10
|
+
:DropBastards - [0:0]
|
11
|
+
:DropDDOS - [0:0]
|
12
|
+
:DropInvalid - [0:0]
|
13
|
+
:DropJail - [0:0]
|
14
|
+
:DropScan - [0:0]
|
15
|
+
:Jail - [0:0]
|
16
|
+
:Private - [0:0]
|
17
|
+
:Public - [0:0]
|
18
|
+
:ValidCheck - [0:0]
|
19
|
+
:fail2ban-SSH - [0:0]
|
20
|
+
-A INPUT -i lo -j ACCEPT
|
21
|
+
-A INPUT -j Jail
|
22
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
23
|
+
-A INPUT -j ValidCheck
|
24
|
+
-A INPUT -j Dmz
|
25
|
+
-A INPUT -j Bastards
|
26
|
+
-A INPUT -j Public
|
27
|
+
-A INPUT -j AllowIP
|
28
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
29
|
+
-A INPUT -j DROP
|
30
|
+
-A AllowIP -j RETURN
|
31
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
32
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
33
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
34
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
35
|
+
-A Allowed -j Private
|
36
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
37
|
+
-A Allowed -j ACCEPT
|
38
|
+
-A Bastards -j RETURN
|
39
|
+
-A Dmz -i eth0 -j ACCEPT
|
40
|
+
-A Dmz -j RETURN
|
41
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
42
|
+
-A DropBastards -j DROP
|
43
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
44
|
+
-A DropDDOS -j DROP
|
45
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
46
|
+
-A DropInvalid -j DROP
|
47
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
48
|
+
-A DropJail -j DROP
|
49
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
50
|
+
-A DropScan -j DROP
|
51
|
+
-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
|
52
|
+
-A Jail -j RETURN
|
53
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
54
|
+
-A Private -j DROP
|
55
|
+
-A Public -j RETURN
|
56
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
57
|
+
-A ValidCheck -j RETURN
|
58
|
+
-A fail2ban-SSH -j RETURN
|
59
|
+
COMMIT
|
60
|
+
# Completed on Sat Sep 29 14:34:04 2012
|
@@ -0,0 +1,68 @@
|
|
1
|
+
# Generated by iptables-save v1.4.7 on Sat Sep 29 14:34:04 2012
|
2
|
+
*filter
|
3
|
+
:INPUT DROP [0:0]
|
4
|
+
:FORWARD DROP [0:0]
|
5
|
+
:OUTPUT ACCEPT [3763472:853134022]
|
6
|
+
:AllowIP - [0:0]
|
7
|
+
:Allowed - [0:0]
|
8
|
+
:Bastards - [0:0]
|
9
|
+
:Dmz - [0:0]
|
10
|
+
:DropBastards - [0:0]
|
11
|
+
:DropDDOS - [0:0]
|
12
|
+
:DropInvalid - [0:0]
|
13
|
+
:DropJail - [0:0]
|
14
|
+
:DropScan - [0:0]
|
15
|
+
:Jail - [0:0]
|
16
|
+
:Private - [0:0]
|
17
|
+
:Public - [0:0]
|
18
|
+
:ValidCheck - [0:0]
|
19
|
+
:fail2ban-SSH - [0:0]
|
20
|
+
-A INPUT -i lo -j ACCEPT
|
21
|
+
-A INPUT -j Jail
|
22
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
23
|
+
-A INPUT -j ValidCheck
|
24
|
+
-A INPUT -j Dmz
|
25
|
+
-A INPUT -j Bastards
|
26
|
+
-A INPUT -j Public
|
27
|
+
-A INPUT -j AllowIP
|
28
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
29
|
+
-A INPUT -j DROP
|
30
|
+
-A AllowIP -s 192.168.0.0/16 -m state --state NEW -j Allowed
|
31
|
+
-A AllowIP -s 172.16.0.0/12 -m state --state NEW -j Allowed
|
32
|
+
-A AllowIP -s 10.0.0.0/8 -m state --state NEW -j Allowed
|
33
|
+
-A AllowIP -s 129.101.159.128/26 -m state --state NEW -j Allowed
|
34
|
+
-A AllowIP -s 129.101.142.128/26 -m state --state NEW -j Allowed
|
35
|
+
-A AllowIP -s 129.101.170.53/32 -m state --state NEW -j Allowed
|
36
|
+
-A AllowIP -s 129.101.112.0/24 -m state --state NEW -j Allowed
|
37
|
+
-A AllowIP -j RETURN
|
38
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
39
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
40
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
41
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
42
|
+
-A Allowed -j Private
|
43
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
44
|
+
-A Allowed -j ACCEPT
|
45
|
+
-A Bastards -j RETURN
|
46
|
+
-A Dmz -i eth0 -j ACCEPT
|
47
|
+
-A Dmz -j RETURN
|
48
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
49
|
+
-A DropBastards -j DROP
|
50
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
51
|
+
-A DropDDOS -j DROP
|
52
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
53
|
+
-A DropInvalid -j DROP
|
54
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
55
|
+
-A DropJail -j DROP
|
56
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
57
|
+
-A DropScan -j DROP
|
58
|
+
-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
|
59
|
+
-A Jail -j RETURN
|
60
|
+
-A Private -p tcp -m state --state NEW -m tcp --dport 22 -j RETURN
|
61
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
62
|
+
-A Private -j DROP
|
63
|
+
-A Public -j RETURN
|
64
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
65
|
+
-A ValidCheck -j RETURN
|
66
|
+
-A fail2ban-SSH -j RETURN
|
67
|
+
COMMIT
|
68
|
+
# Completed on Sat Sep 29 14:34:04 2012
|
data/spec/files_spec.rb
CHANGED
@@ -2,6 +2,16 @@ require File.dirname(__FILE__) + '/spec_helper'
|
|
2
2
|
require 'fileutils'
|
3
3
|
|
4
4
|
describe "Shutter::Files" do
|
5
|
+
before(:each) do
|
6
|
+
FileUtils.mkdir("./tmp")
|
7
|
+
@cmd = Shutter::CommandLine.new("./tmp")
|
8
|
+
end
|
9
|
+
|
10
|
+
after(:each) do
|
11
|
+
FileUtils.rm Dir.glob('./tmp/*')
|
12
|
+
FileUtils.rmdir("./tmp")
|
13
|
+
end
|
14
|
+
|
5
15
|
it "should create the configuration directory if it does not exist" do
|
6
16
|
Shutter::Files.create_config_dir('./tmp/configs')
|
7
17
|
File.directory?('./tmp/configs').should == true
|
@@ -12,11 +22,11 @@ describe "Shutter::Files" do
|
|
12
22
|
expect { Shutter::Files.create_config_dir('./tmp/configs/this') }.to raise_error
|
13
23
|
end
|
14
24
|
|
15
|
-
it "should include the templates for all files" do
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
end
|
25
|
+
# it "should include the templates for all files" do
|
26
|
+
# Shutter::Files::CONFIG_FILES.each do |name|
|
27
|
+
# Shutter::Files.const_defined?(:"#{name.upcase.gsub(/\./, "_")}").should == true
|
28
|
+
# end
|
29
|
+
# end
|
20
30
|
|
21
31
|
it "should create the files in the configuration directory if they do not exist" do
|
22
32
|
Shutter::Files.create_config_dir('./spec/tmp')
|
data/spec/iptables_spec.rb
CHANGED
@@ -53,6 +53,18 @@ describe "Shutter::Firewall::IPTables" do
|
|
53
53
|
}
|
54
54
|
end
|
55
55
|
|
56
|
+
it "should return true if generated rules and iptables-save rules match" do
|
57
|
+
iptables_save = File.read("./spec/files/iptables_save_bare.out")
|
58
|
+
@ipt.stubs(:iptables_save).returns(iptables_save)
|
59
|
+
@ipt.check.should == true
|
60
|
+
end
|
61
|
+
|
62
|
+
it "should return false if generated rules and iptables-save rules don't match" do
|
63
|
+
iptables_save = File.read("./spec/files/iptables_save_extrarules.out")
|
64
|
+
@ipt.stubs(:iptables_save).returns(iptables_save)
|
65
|
+
@ipt.check.should == false
|
66
|
+
end
|
67
|
+
|
56
68
|
it "should return the correct output for generate" do
|
57
69
|
iptables_save = File.read("./spec/files/iptables_save.out")
|
58
70
|
@ipt.stubs(:iptables_save).returns(iptables_save)
|
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
@@ -1,78 +1,90 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: shutter
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
hash: 23
|
5
5
|
prerelease:
|
6
|
+
segments:
|
7
|
+
- 0
|
8
|
+
- 2
|
9
|
+
- 0
|
10
|
+
version: 0.2.0
|
6
11
|
platform: ruby
|
7
|
-
authors:
|
12
|
+
authors:
|
8
13
|
- Rob Lyon
|
9
14
|
autorequire:
|
10
15
|
bindir: bin
|
11
16
|
cert_chain: []
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
+
|
18
|
+
date: 2013-02-03 00:00:00 Z
|
19
|
+
dependencies:
|
20
|
+
- !ruby/object:Gem::Dependency
|
21
|
+
prerelease: false
|
22
|
+
name: rake
|
23
|
+
version_requirements: &id001 !ruby/object:Gem::Requirement
|
17
24
|
none: false
|
18
|
-
requirements:
|
19
|
-
- -
|
20
|
-
- !ruby/object:Gem::Version
|
21
|
-
|
25
|
+
requirements:
|
26
|
+
- - ">="
|
27
|
+
- !ruby/object:Gem::Version
|
28
|
+
hash: 3
|
29
|
+
segments:
|
30
|
+
- 0
|
31
|
+
version: "0"
|
22
32
|
type: :development
|
33
|
+
requirement: *id001
|
34
|
+
- !ruby/object:Gem::Dependency
|
23
35
|
prerelease: false
|
24
|
-
|
36
|
+
name: rspec
|
37
|
+
version_requirements: &id002 !ruby/object:Gem::Requirement
|
25
38
|
none: false
|
26
|
-
requirements:
|
27
|
-
- -
|
28
|
-
- !ruby/object:Gem::Version
|
29
|
-
|
30
|
-
|
39
|
+
requirements:
|
40
|
+
- - ">="
|
41
|
+
- !ruby/object:Gem::Version
|
42
|
+
hash: 3
|
43
|
+
segments:
|
44
|
+
- 0
|
45
|
+
version: "0"
|
46
|
+
type: :development
|
47
|
+
requirement: *id002
|
48
|
+
- !ruby/object:Gem::Dependency
|
49
|
+
prerelease: false
|
31
50
|
name: mocha
|
32
|
-
|
51
|
+
version_requirements: &id003 !ruby/object:Gem::Requirement
|
33
52
|
none: false
|
34
|
-
requirements:
|
35
|
-
- -
|
36
|
-
- !ruby/object:Gem::Version
|
37
|
-
|
53
|
+
requirements:
|
54
|
+
- - ">="
|
55
|
+
- !ruby/object:Gem::Version
|
56
|
+
hash: 3
|
57
|
+
segments:
|
58
|
+
- 0
|
59
|
+
version: "0"
|
38
60
|
type: :development
|
61
|
+
requirement: *id003
|
62
|
+
- !ruby/object:Gem::Dependency
|
39
63
|
prerelease: false
|
40
|
-
version_requirements: !ruby/object:Gem::Requirement
|
41
|
-
none: false
|
42
|
-
requirements:
|
43
|
-
- - ! '>='
|
44
|
-
- !ruby/object:Gem::Version
|
45
|
-
version: '0'
|
46
|
-
- !ruby/object:Gem::Dependency
|
47
64
|
name: simplecov
|
48
|
-
|
65
|
+
version_requirements: &id004 !ruby/object:Gem::Requirement
|
49
66
|
none: false
|
50
|
-
requirements:
|
51
|
-
- -
|
52
|
-
- !ruby/object:Gem::Version
|
53
|
-
|
67
|
+
requirements:
|
68
|
+
- - ">="
|
69
|
+
- !ruby/object:Gem::Version
|
70
|
+
hash: 3
|
71
|
+
segments:
|
72
|
+
- 0
|
73
|
+
version: "0"
|
54
74
|
type: :development
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
requirements:
|
59
|
-
- - ! '>='
|
60
|
-
- !ruby/object:Gem::Version
|
61
|
-
version: '0'
|
62
|
-
description: ! "Shutter is a tool that gives system administrators the ability \n
|
63
|
-
\ to manage iptables firewall settings through simple lists
|
64
|
-
instead \n of complex iptables rules. Please note: This
|
65
|
-
application is currently \n only tested with Red Hat based
|
66
|
-
distributions. Ubuntu and Debian should \n work but are
|
67
|
-
not supported..\n "
|
68
|
-
email:
|
75
|
+
requirement: *id004
|
76
|
+
description: "Shutter is a tool that gives system administrators the ability \n to manage iptables firewall settings through simple lists instead \n of complex iptables rules. Please note: This application is currently \n only tested with Red Hat based distributions. Ubuntu and Debian should \n work but are not supported..\n "
|
77
|
+
email:
|
69
78
|
- nosignsoflifehere@gmail.com
|
70
|
-
executables:
|
79
|
+
executables:
|
71
80
|
- shutter
|
72
81
|
extensions: []
|
82
|
+
|
73
83
|
extra_rdoc_files: []
|
74
|
-
|
84
|
+
|
85
|
+
files:
|
75
86
|
- .gitignore
|
87
|
+
- .travis.yml
|
76
88
|
- Gemfile
|
77
89
|
- LICENSE
|
78
90
|
- README.md
|
@@ -95,37 +107,48 @@ files:
|
|
95
107
|
- spec/files/ip.allow
|
96
108
|
- spec/files/ip.deny
|
97
109
|
- spec/files/iptables_save.out
|
110
|
+
- spec/files/iptables_save_bare.out
|
111
|
+
- spec/files/iptables_save_extrarules.out
|
98
112
|
- spec/files/ports.private
|
99
113
|
- spec/files/ports.public
|
100
114
|
- spec/files_spec.rb
|
101
115
|
- spec/iptables_spec.rb
|
102
116
|
- spec/os_spec.rb
|
103
117
|
- spec/spec_helper.rb
|
104
|
-
homepage:
|
118
|
+
homepage: ""
|
105
119
|
licenses: []
|
120
|
+
|
106
121
|
post_install_message:
|
107
122
|
rdoc_options: []
|
108
|
-
|
123
|
+
|
124
|
+
require_paths:
|
109
125
|
- lib
|
110
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
126
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
111
127
|
none: false
|
112
|
-
requirements:
|
113
|
-
- -
|
114
|
-
- !ruby/object:Gem::Version
|
115
|
-
|
116
|
-
|
128
|
+
requirements:
|
129
|
+
- - ">="
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
hash: 3
|
132
|
+
segments:
|
133
|
+
- 0
|
134
|
+
version: "0"
|
135
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
117
136
|
none: false
|
118
|
-
requirements:
|
119
|
-
- -
|
120
|
-
- !ruby/object:Gem::Version
|
121
|
-
|
137
|
+
requirements:
|
138
|
+
- - ">="
|
139
|
+
- !ruby/object:Gem::Version
|
140
|
+
hash: 3
|
141
|
+
segments:
|
142
|
+
- 0
|
143
|
+
version: "0"
|
122
144
|
requirements: []
|
145
|
+
|
123
146
|
rubyforge_project:
|
124
|
-
rubygems_version: 1.8.
|
147
|
+
rubygems_version: 1.8.25
|
125
148
|
signing_key:
|
126
149
|
specification_version: 3
|
127
150
|
summary: Shutter helps manage iptables firewalls
|
128
|
-
test_files:
|
151
|
+
test_files:
|
129
152
|
- spec/command_line_spec.rb
|
130
153
|
- spec/content_spec.rb
|
131
154
|
- spec/files/base.ipt
|
@@ -134,6 +157,8 @@ test_files:
|
|
134
157
|
- spec/files/ip.allow
|
135
158
|
- spec/files/ip.deny
|
136
159
|
- spec/files/iptables_save.out
|
160
|
+
- spec/files/iptables_save_bare.out
|
161
|
+
- spec/files/iptables_save_extrarules.out
|
137
162
|
- spec/files/ports.private
|
138
163
|
- spec/files/ports.public
|
139
164
|
- spec/files_spec.rb
|