shutter 0.0.1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in shutter.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Rob Lyon
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Shutter
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'shutter'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install shutter
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/bin/shutter

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+begin
+	require 'rubygems'
+rescue LoadError
+end
+
+require 'shutter'
+config_path = ENV['SHUTTER_CONFIG'] ? ENV['SHUTTER_CONFIG'] : "/etc/shutter.d"
+Shutter::CommandLine.new(config_path).execute

data/lib/shutter.rb

@@ -0,0 +1,7 @@
+require "shutter/version"
+require "shutter/content"
+require "shutter/command_line"
+
+module Shutter
+  # Your code goes here...
+end

data/lib/shutter/command_line.rb

@@ -0,0 +1,71 @@
+require 'optparse'
+require 'shutter/iptables'
+
+module Shutter
+	class CommandLine
+		def initialize( path = "/etc/shutter.d")
+			@config_path = path
+			# Make sure that we have the proper files
+			files = %w[
+				base.ipt
+				iface.dmz
+				ip.allow
+				ip.deny
+				ports.private
+				ports.public
+			]
+			files.each do |name|
+				file = "#{@config_path}/#{name}"
+				unless File.exists?(file)
+					# puts "Creating: #{file}"
+					File.open(file, 'w') do |f| 
+						f.write(Shutter.const_get(name.upcase.gsub(/\./, "_")))
+					end
+				end
+			end
+		end
+
+		def execute
+			options = {}
+			optparse = OptionParser.new do |opts|
+				opts.banner = "Usage: shutter [options]"
+				options[:command] = :save
+				opts.on( '-s', '--save', 'Output the firewall to stdout.') do
+					options[:command] = :save
+				end
+				opts.on( '-r', '--restore', 'Load the firewall through iptables-restore.') do
+					options[:command] = :restore
+				end
+				options[:debug] = false
+				opts.on( '-d', '--debug', 'Be a bit more chatty') do
+					options[:debug] = true
+				end
+				opts.on_tail( '-h', '--help', 'Display this screen' ) do
+					puts opts
+					exit
+				end
+				opts.on_tail( '--version', "Show the version") do
+					puts Shutter::VERSION
+					exit
+				end
+			end
+			optparse.parse!
+			puts "* Using config path: #{@config_path}" if options[:debug]
+			puts "* Running command: #{options[:command].to_s}" if options[:debug]
+			send(options[:command])
+		end
+
+		def save
+			@ipt = Shutter::IPTables::Base.new(@config_path).generate
+			puts @ipt
+		end
+
+		def restore
+			@ipt = Shutter::IPTables::Base.new(@config_path).generate
+			IO.popen("#{Shutter::IPTables::IPTABLES_RESTORE}", "r+") do |iptr|
+				iptr.puts @ipt ; iptr.close_write
+			end
+		end
+
+	end
+end

data/lib/shutter/content.rb

@@ -0,0 +1,178 @@
+module Shutter
+
+BASE_IPT = %q{# Generated by Shutter
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:Dmz - [0:0]
+:ValidCheck - [0:0]
+:Jail - [0:0]
+:Bastards - [0:0]
+:Public - [0:0]
+:AllowIP - [0:0]
+:Allowed - [0:0]
+:Private - [0:0]
+:DropJail - [0:0]
+:DropBastards - [0:0]
+:DropInvalid - [0:0]
+:DropScan - [0:0]
+:DropDDOS - [0:0]
+# [CHAIN:FAIL2BAN]
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j Jail
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -j ValidCheck
+-A INPUT -j Dmz
+-A INPUT -j Bastards
+-A INPUT -j Public
+-A INPUT -j AllowIP
+-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
+-A INPUT -j DROP
+
+##################################################################
+# Jail goes here.  Jail and any fail2ban chains will be
+# taken care of dynamically in locker-restore.
+##################################################################
+# [RULES:JAIL]
+
+##################################################################
+# Validity/Scanning/DDOS checking
+##################################################################
+-A ValidCheck -m state --state INVALID -j DropInvalid
+-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
+-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
+-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
+-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
+-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
+-A ValidCheck -p tcp --tcp-option 64 -j DropScan
+-A ValidCheck -p tcp --tcp-option 128 -j DropScan
+-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
+-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
+-A ValidCheck -j RETURN
+
+##################################################################
+# DMZ.  Read from iface.dmz and added as:
+# -A INPUT -i <iface> -j ACCEPT
+##################################################################
+# [RULES:DMZ]
+-A Dmz -j RETURN
+
+##################################################################
+# All IP address ranges that are permanently banned.  If
+# no IP addresses are given, then all will be assumed that no ip
+# addresses are banned and create the following rule
+# -A Bastards -j RETURN
+# otherwise a list of banned ips will be generated from ip.deny
+# and will look like this:
+# -A Bastards -s <ipaddr>/<subnet> -j DropBastards
+##################################################################
+# [RULES:BASTARDS]
+-A Bastards -j RETURN
+
+##################################################################
+# A list of authorized ports for the public access.  If there are
+# entries in the ports.public file then they will be added as:
+# -A Public -m state --state NEW -p <proto> -m <proto> --dport <port> -j ACCEPT
+##################################################################
+# [RULES:PUBLIC]
+-A Public -j RETURN
+
+##################################################################
+# All IP address ranges that are allowed to access the ports.  If
+# no IP addresses are given, then all will be assumed and a rule
+# to jump to the Allowed chain will be created:
+# -A AllowIP -j Allowed
+# otherwise a list of allowed ips will be generated from ip.allow
+# and will look like this:
+# -A AllowIP -s 129.101.159.128/26 -j Allowed
+##################################################################
+# [RULES:ALLOWIP]
+-A AllowIP -j RETURN
+
+##################################################################
+# Allowed.  If a packet has met all the requirements it will end
+# up here.  This should be a static chain.
+##################################################################
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT 
+-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT 
+-A Allowed -j Private
+-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
+-A Allowed -j ACCEPT
+
+##################################################################
+# A list of authorized ports for the allowed IPs.  If there are
+# entries in the ports.private file then they will be added as:
+# -A Private -m state --state NEW -p <proto> -m <proto> --dport <port> -j RETURN
+##################################################################
+# [RULES:PRIVATE]
+-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
+-A Private -j DROP
+
+##################################################################
+# Log and Drops
+##################################################################
+-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:" 
+-A DropJail -j DROP
+
+-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:" 
+-A DropBastards -j DROP
+
+-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"  
+-A DropInvalid -j DROP
+
+-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"  
+-A DropScan -j DROP
+
+-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"  
+-A DropDDOS -j DROP
+
+##################################################################
+# Add any additional rules that fail2ban has added
+##################################################################
+# [RULES:FAIL2BAN]
+
+COMMIT
+}
+
+IFACE_DMZ = %q{# Generated by Shutter
+# iface
+# eth0
+# eth1
+}
+
+IP_ALLOW = %q{# Generated by Shutter
+# ipaddr
+# ipaddr/subnet
+192.168.0.0/16
+}
+
+IP_DENY = %q{# Generated by Shutter
+# ipaddr
+# ipaddr/subnet
+# 192.168.0.0/16
+}
+
+PORTS_PUBLIC = %q{
+# proto port
+# 80 	tcp
+# 443 	tcp
+}
+
+PORTS_PRIVATE = %q{
+# proto port
+22 		tcp
+}
+end

data/lib/shutter/iptables.rb

@@ -0,0 +1,11 @@
+require 'shutter/iptables/base'
+require 'shutter/iptables/eyepee'
+require 'shutter/iptables/iface'
+require 'shutter/iptables/jail'
+require 'shutter/iptables/port'
+
+module Shutter
+	module IPTables
+		IPTABLES_RESTORE="/sbin/iptables-restore"
+	end
+end

data/lib/shutter/iptables/base.rb

@@ -0,0 +1,45 @@
+module Shutter
+	module IPTables
+		class Base
+			def initialize( path )
+				@path = path
+				file = File.open("#{path}/base.ipt", "r")
+				@content = file.read
+			end
+
+			def to_s
+				@content
+			end
+
+			def generate
+				#generate_nat
+				generate_filter
+			end
+
+			def generate_filter
+				@dmz = Iface.new("#{@path}", :dmz).to_ipt
+				@content = @content.gsub(/#\ \[RULES:DMZ\]/, @dmz)
+				@bastards = EyePee.new("#{@path}", :deny).to_ipt
+				@content = @content.gsub(/#\ \[RULES:BASTARDS\]/, @bastards)
+				@public = Port.new("#{@path}", :public).to_ipt
+				@content = @content.gsub(/#\ \[RULES:PUBLIC\]/, @public)
+				@allow = EyePee.new("#{@path}", :allow).to_ipt
+				@content = @content.gsub(/#\ \[RULES:ALLOWIP\]/, @allow)
+				@private = Port.new("#{@path}", :private).to_ipt
+				@content = @content.gsub(/#\ \[RULES:PRIVATE\]/, @private)
+
+				# Make sure we are restoring what fail2ban has added
+				@f2b_chains = Jail.new.fail2ban_chains
+				@content = @content.gsub(/#\ \[CHAIN:FAIL2BAN\]/, @f2b_chains)
+				@f2b_rules = Jail.new.fail2ban_rules
+				@content = @content.gsub(/#\ \[RULES:FAIL2BAN\]/, @f2b_rules)
+				@jail = Jail.new.jail_rules
+				@content = @content.gsub(/#\ \[RULES:JAIL\]/, @jail)
+
+				# Remove the rest of the comments and extra lines
+				@content = @content.gsub(/^#.*$/, "")
+				@content = @content.gsub(/^$\n/, "")				
+			end
+		end
+	end
+end

data/lib/shutter/iptables/eyepee.rb

@@ -0,0 +1,34 @@
+module Shutter
+	module IPTables
+		class EyePee
+			def initialize( path, state )
+				@state = state
+				file = File.open("#{path}/ip.#{state.to_s}", "r")
+				@content = file.read
+			end
+
+			def to_s
+				@content
+			end
+
+			def to_ipt
+				@rules = ""
+				@content.each_line do |ip|
+					ip_clean = ip.strip
+					if ip_clean =~ /^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}(\/[0-9]{0,2})*$/
+						@rules += send(:"#{@state.to_s}_ipt", ip_clean)
+					end
+				end
+				@rules
+			end
+
+			def allow_ipt(ip)
+				"-A AllowIP -m state --state NEW -s #{ip} -j Allowed\n"
+			end
+
+			def deny_ipt(ip)
+				"-A Bastards -s #{ip} -j DropBastards\n"
+			end
+		end
+	end
+end

data/lib/shutter/iptables/iface.rb

@@ -0,0 +1,30 @@
+module Shutter
+	module IPTables
+		class Iface
+			def initialize( path, type )
+				@type = type
+				file = File.open("#{path}/iface.#{type.to_s}", "r")
+				@content = file.read
+			end
+
+			def to_s
+				@content
+			end
+
+			def to_ipt
+				@rules = ""
+				@content.each_line do |line|
+					line = line.strip
+					if line =~ /^[a-z].+$/
+						@rules += send(:"#{@type.to_s}_ipt", line)
+					end
+				end
+				@rules
+			end
+
+			def dmz_ipt( iface )
+				"-A Dmz -i #{iface} -j ACCEPT\n"
+			end
+		end
+	end
+end

data/lib/shutter/iptables/jail.rb

@@ -0,0 +1,26 @@
+module Shutter
+	module IPTables
+		class Jail
+			def initialize( iptables = "/sbin/iptables")
+				@iptables =  iptables
+			end
+
+			def fail2ban_chains
+				`/sbin/iptables-save | grep "^:fail2ban"`
+			end
+
+			def fail2ban_rules
+				`/sbin/iptables-save | grep "^-A fail2ban"`
+			end
+
+			def jail_rules
+				jail = `/sbin/iptables-save | grep "^-A Jail"`
+				lines = jail.split('\n')
+				unless lines != [] && lines[-1] == "-A Jail -j RETURN\n"
+					jail += "-A Jail -j RETURN\n"
+				end
+				jail
+			end
+		end
+	end
+end

data/lib/shutter/iptables/port.rb

@@ -0,0 +1,35 @@
+module Shutter
+	module IPTables
+		class Port
+			def initialize( path, type )
+				@type = type
+				file = File.open("#{path}/ports.#{type.to_s}", "r")
+				@content = file.read
+			end
+
+			def to_s
+				@content
+			end
+
+			def to_ipt
+				@rules = ""
+				@content.each_line do |line|
+					line = line.strip
+					if line =~ /^[1-9].+$/
+						port,proto = line.split
+						@rules += send(:"#{@type.to_s}_ipt", port, proto)
+					end
+				end
+				@rules
+			end
+
+			def private_ipt( port, proto )
+				"-A Private -m state --state NEW -p #{proto} -m #{proto} --dport #{port} -j RETURN\n"
+			end
+
+			def public_ipt( port, proto )
+				"-A Public -m state --state NEW -p #{proto} -m #{proto} --dport #{port} -j ACCEPT\n"
+			end
+		end
+	end
+end

data/lib/shutter/version.rb

@@ -0,0 +1,3 @@
+module Shutter
+  VERSION = "0.0.1"
+end

data/shutter.gemspec

@@ -0,0 +1,17 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/shutter/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Rob Lyon"]
+  gem.email         = ["nosignsoflifehere@gmail.com"]
+  gem.description   = %q{Shutter helps maintain firewalls}
+  gem.summary       = %q{Shutter helps maintain firewalls}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "shutter"
+  gem.require_paths = ["lib"]
+  gem.version       = Shutter::VERSION
+end

metadata

@@ -0,0 +1,63 @@
+--- !ruby/object:Gem::Specification
+name: shutter
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Rob Lyon
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-06-22 00:00:00.000000000 Z
+dependencies: []
+description: Shutter helps maintain firewalls
+email:
+- nosignsoflifehere@gmail.com
+executables:
+- shutter
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/shutter
+- lib/shutter.rb
+- lib/shutter/command_line.rb
+- lib/shutter/content.rb
+- lib/shutter/iptables.rb
+- lib/shutter/iptables/base.rb
+- lib/shutter/iptables/eyepee.rb
+- lib/shutter/iptables/iface.rb
+- lib/shutter/iptables/jail.rb
+- lib/shutter/iptables/port.rb
+- lib/shutter/version.rb
+- shutter.gemspec
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Shutter helps maintain firewalls
+test_files: []