shutter 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.travis.yml +5 -0
- data/README.md +10 -1
- data/lib/shutter/command_line.rb +16 -3
- data/lib/shutter/content.rb +1 -19
- data/lib/shutter/iptables.rb +21 -0
- data/lib/shutter/version.rb +1 -1
- data/shutter.gemspec +1 -0
- data/spec/command_line_spec.rb +26 -12
- data/spec/content_spec.rb +1 -1
- data/spec/files/iptables_save.out +1 -19
- data/spec/files/iptables_save_bare.out +60 -0
- data/spec/files/iptables_save_extrarules.out +68 -0
- data/spec/files_spec.rb +15 -5
- data/spec/iptables_spec.rb +12 -0
- data/spec/spec_helper.rb +1 -1
- metadata +91 -66
data/.travis.yml
ADDED
data/README.md
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
# Shutter
|
2
2
|
|
3
|
+
[![Build Status](https://secure.travis-ci.org/rlyon/shutter.png)](http://travis-ci.org/rlyon/shutter)
|
4
|
+
|
3
5
|
Shutter is a tool that gives system administrators the ability to manage
|
4
6
|
iptables firewall settings through simple lists instead of complex iptables commands, making it
|
5
7
|
easier to define host and service firewall setting with configuration management tools. Please note:
|
@@ -52,7 +54,7 @@ access 'on-the-fly'. To work correctly, you configure fail2ban to use the Jail
|
|
52
54
|
INPUT. The dynamic rules that fail2ban has created in the jail chain remain persistant when
|
53
55
|
shutter is 'restored' or reloaded.
|
54
56
|
|
55
|
-
#### To
|
57
|
+
#### To show your firewall rules you can run:
|
56
58
|
|
57
59
|
$ shutter --save
|
58
60
|
|
@@ -67,6 +69,13 @@ This command uses 'iptables-restore' under the hood to update the firewall. You
|
|
67
69
|
to make the changes permanent and survive reboots. Persist can optionally take an argument which defines the location of the
|
68
70
|
persist file if it is in a non-standard location.
|
69
71
|
|
72
|
+
|
73
|
+
#### To check your current firewall rules generated by 'iptables-save' against the ones shutter will generate, use:
|
74
|
+
|
75
|
+
$ shutter --check
|
76
|
+
|
77
|
+
The command will generate 'OK' if the rules and chains match and 'MISMATCH' if there is any variance.
|
78
|
+
|
70
79
|
#### Command line options
|
71
80
|
Usage: shutter [options]
|
72
81
|
--init Create the initial configuration files.
|
data/lib/shutter/command_line.rb
CHANGED
@@ -6,13 +6,16 @@ module Shutter
|
|
6
6
|
DISPLAY_OPTS_REINIT = %q{Rereate the initial configuration files.}
|
7
7
|
DISPLAY_OPTS_UPGRADE = %q{Upgrade the configuration files that have changes with a new version.}
|
8
8
|
DISPLAY_OPTS_DIR = %q{Set the directory for configuration files. Default is /etc/shutter.d.}
|
9
|
-
DISPLAY_OPTS_SAVE = %q{Output the firewall to stdout. This is the default behavior.}
|
10
|
-
DISPLAY_OPTS_RESTORE = %q{Restore the firewall through iptables-restore.}
|
11
|
-
DISPLAY_OPTS_PERSIST = %q{Write the firewall to the persistance file. If an argument is given, it will be used as the persistance file}
|
9
|
+
DISPLAY_OPTS_SAVE = %q{Output the firewall rules to stdout. This is the default behavior.}
|
10
|
+
DISPLAY_OPTS_RESTORE = %q{Restore the firewall rules through iptables-restore.}
|
11
|
+
DISPLAY_OPTS_PERSIST = %q{Write the firewall to the persistance file. If an argument is given, it will be used as the persistance file.}
|
12
|
+
DISPLAY_OPTS_CHECK = %q{Check to see if the generated rules match the current firewall rules.}
|
12
13
|
DISPLAY_OPTS_DEBUG = %q{Turn on debugging for extra output.}
|
13
14
|
DISPLAY_OPTS_HELP = %q{Display help and exit.}
|
14
15
|
DISPLAY_OPTS_VERSION = %q{Display version and exit.}
|
15
16
|
|
17
|
+
attr_reader :os
|
18
|
+
|
16
19
|
def initialize( path = "/etc/shutter.d")
|
17
20
|
@config_path = path
|
18
21
|
@os = Shutter::OS.new
|
@@ -71,6 +74,10 @@ module Shutter
|
|
71
74
|
@persist = true
|
72
75
|
@persist_file = file || persist_file
|
73
76
|
end
|
77
|
+
# Check the generated rules against the current rules
|
78
|
+
opts.on( '-c', "--check", DISPLAY_OPTS_PERSIST) do |file|
|
79
|
+
@command = :check
|
80
|
+
end
|
74
81
|
# Sets the directory for configuration files
|
75
82
|
opts.on( '-d', '--dir DIR', DISPLAY_OPTS_DIR) do |dir|
|
76
83
|
@config_path = dir
|
@@ -111,6 +118,12 @@ module Shutter
|
|
111
118
|
firewall.restore
|
112
119
|
puts "Writing to #{persist_file}" if persist
|
113
120
|
firewall.persist(persist_file) if persist
|
121
|
+
when :check
|
122
|
+
if firewall.check
|
123
|
+
puts "OK"
|
124
|
+
else
|
125
|
+
puts "MISMATCH"
|
126
|
+
end
|
114
127
|
end
|
115
128
|
end
|
116
129
|
end
|
data/lib/shutter/content.rb
CHANGED
@@ -48,27 +48,9 @@ BASE_IPT = %q{# Generated by Shutter
|
|
48
48
|
# [RULES:JAIL]
|
49
49
|
|
50
50
|
##################################################################
|
51
|
-
# Validity
|
51
|
+
# Validity checking
|
52
52
|
##################################################################
|
53
53
|
-A ValidCheck -m state --state INVALID -j DropInvalid
|
54
|
-
-A ValidCheck -p tcp --tcp-flags ALL FIN,URG,PSH -j DropScan
|
55
|
-
-A ValidCheck -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DropScan
|
56
|
-
-A ValidCheck -p tcp --tcp-flags ALL ALL -j DropScan
|
57
|
-
-A ValidCheck -p tcp --tcp-flags ALL FIN -j DropScan
|
58
|
-
-A ValidCheck -p tcp --tcp-flags ACK,FIN FIN -j DropScan
|
59
|
-
-A ValidCheck -p tcp --tcp-flags ACK,PSH PSH -j DropScan
|
60
|
-
-A ValidCheck -p tcp --tcp-flags ACK,URG URG -j DropScan
|
61
|
-
-A ValidCheck -p tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
62
|
-
-A ValidCheck -p tcp --tcp-flags ALL SYN,FIN -j DropScan
|
63
|
-
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,FIN -j DropScan
|
64
|
-
-A ValidCheck -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DropScan
|
65
|
-
-A ValidCheck -p tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
66
|
-
-A ValidCheck -p tcp --tcp-flags SYN,FIN SYN,FIN -j DropScan
|
67
|
-
-A ValidCheck -p tcp --tcp-flags ALL NONE -j DropScan
|
68
|
-
-A ValidCheck -p tcp --tcp-option 64 -j DropScan
|
69
|
-
-A ValidCheck -p tcp --tcp-option 128 -j DropScan
|
70
|
-
-A ValidCheck -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
71
|
-
-A ValidCheck -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
72
54
|
-A ValidCheck -j RETURN
|
73
55
|
|
74
56
|
##################################################################
|
data/lib/shutter/iptables.rb
CHANGED
@@ -96,6 +96,16 @@ module Shutter
|
|
96
96
|
"#{@os.iptables_restore}"
|
97
97
|
end
|
98
98
|
|
99
|
+
###
|
100
|
+
### Check to see if base and iptables-save content match
|
101
|
+
###
|
102
|
+
def check
|
103
|
+
gen_rules = filter_and_sort(generate)
|
104
|
+
ips_rules = filter_and_sort(iptables_save)
|
105
|
+
extra_rules = ips_rules - gen_rules
|
106
|
+
extra_rules.empty?
|
107
|
+
end
|
108
|
+
|
99
109
|
###
|
100
110
|
### Block Generation
|
101
111
|
###
|
@@ -213,6 +223,17 @@ module Shutter
|
|
213
223
|
"-A Dmz -i #{iface} -j ACCEPT\n"
|
214
224
|
end
|
215
225
|
|
226
|
+
private
|
227
|
+
###
|
228
|
+
### Filter and sort iptables-save for checking
|
229
|
+
###
|
230
|
+
def filter_and_sort(content)
|
231
|
+
filtered = content.scan(/^[:-].*$/).sort
|
232
|
+
# Make sure that we remove (gsub) the counts on the chains and remove any
|
233
|
+
# trailing whitespace and newlines
|
234
|
+
filtered.map {|x| x.gsub(/\ \[.*\]/,"").strip}
|
235
|
+
end
|
236
|
+
|
216
237
|
end
|
217
238
|
end
|
218
239
|
end
|
data/lib/shutter/version.rb
CHANGED
data/shutter.gemspec
CHANGED
@@ -19,6 +19,7 @@ Gem::Specification.new do |gem|
|
|
19
19
|
gem.name = "shutter"
|
20
20
|
gem.require_paths = ["lib"]
|
21
21
|
gem.version = Shutter::VERSION
|
22
|
+
gem.add_development_dependency "rake"
|
22
23
|
gem.add_development_dependency('rspec')
|
23
24
|
gem.add_development_dependency('mocha')
|
24
25
|
gem.add_development_dependency('simplecov')
|
data/spec/command_line_spec.rb
CHANGED
@@ -2,9 +2,16 @@ require File.dirname(__FILE__) + '/spec_helper'
|
|
2
2
|
|
3
3
|
describe "Shutter::CommandLine" do
|
4
4
|
before(:each) do
|
5
|
+
FileUtils.mkdir("./tmp")
|
6
|
+
Shutter::Files.create("./tmp")
|
5
7
|
@cmd = Shutter::CommandLine.new("./tmp")
|
6
8
|
end
|
7
9
|
|
10
|
+
after(:each) do
|
11
|
+
FileUtils.rm Dir.glob('./tmp/*')
|
12
|
+
FileUtils.rmdir("./tmp")
|
13
|
+
end
|
14
|
+
|
8
15
|
it "should not raise exception when firewall is called" do
|
9
16
|
expect { @cmd.firewall }.to_not raise_error
|
10
17
|
end
|
@@ -36,6 +43,13 @@ describe "Shutter::CommandLine" do
|
|
36
43
|
@cmd.persist.should == true
|
37
44
|
end
|
38
45
|
|
46
|
+
it "should set the command to :check" do
|
47
|
+
@cmd.execute(["--check"],true)
|
48
|
+
@cmd.command.should == :check
|
49
|
+
@cmd.execute(["-c"],true)
|
50
|
+
@cmd.command.should == :check
|
51
|
+
end
|
52
|
+
|
39
53
|
it "should set the command to :init" do
|
40
54
|
@cmd.execute(["--init"],true)
|
41
55
|
@cmd.command.should == :init
|
@@ -52,31 +66,31 @@ describe "Shutter::CommandLine" do
|
|
52
66
|
end
|
53
67
|
|
54
68
|
it "should set the config path and persist" do
|
55
|
-
|
56
|
-
@cmd.execute(["--dir", "
|
69
|
+
@cmd.os.stubs(:version).returns("Unknown")
|
70
|
+
@cmd.execute(["--dir", "./tmp", "--restore", "--persist"],true)
|
57
71
|
@cmd.command.should == :restore
|
58
72
|
@cmd.persist.should == true
|
59
73
|
@cmd.persist_file.should == "/tmp/iptables.rules"
|
60
|
-
@cmd.config_path.should == "
|
61
|
-
@cmd.execute(["-d", "
|
74
|
+
@cmd.config_path.should == "./tmp"
|
75
|
+
@cmd.execute(["-d", "./tmp", "--restore", "--persist"],true)
|
62
76
|
@cmd.command.should == :restore
|
63
77
|
@cmd.persist.should == true
|
64
78
|
@cmd.persist_file.should == "/tmp/iptables.rules"
|
65
|
-
@cmd.config_path.should == "
|
79
|
+
@cmd.config_path.should == "./tmp"
|
66
80
|
end
|
67
81
|
|
68
82
|
it "should set the config path and persist with file" do
|
69
|
-
|
70
|
-
@cmd.execute(["--dir", "
|
83
|
+
@cmd.os.stubs(:version).returns("Unknown")
|
84
|
+
@cmd.execute(["--dir", "./tmp", "--restore", "--persist", "./tmp/persistance.file"],true)
|
71
85
|
@cmd.command.should == :restore
|
72
86
|
@cmd.persist.should == true
|
73
|
-
@cmd.persist_file.should == "
|
74
|
-
@cmd.config_path.should == "
|
75
|
-
@cmd.execute(["-d", "
|
87
|
+
@cmd.persist_file.should == "./tmp/persistance.file"
|
88
|
+
@cmd.config_path.should == "./tmp"
|
89
|
+
@cmd.execute(["-d", "./tmp", "--restore", "--persist", "./tmp/persistance.file"],true)
|
76
90
|
@cmd.command.should == :restore
|
77
91
|
@cmd.persist.should == true
|
78
|
-
@cmd.persist_file.should == "
|
79
|
-
@cmd.config_path.should == "
|
92
|
+
@cmd.persist_file.should == "./tmp/persistance.file"
|
93
|
+
@cmd.config_path.should == "./tmp"
|
80
94
|
end
|
81
95
|
|
82
96
|
end
|
data/spec/content_spec.rb
CHANGED
@@ -3,7 +3,7 @@ require File.dirname(__FILE__) + '/spec_helper'
|
|
3
3
|
describe "Shutter" do
|
4
4
|
it "should have templates for all files" do
|
5
5
|
Shutter::Content::CONFIG_FILES.each do |name|
|
6
|
-
Shutter::Content.
|
6
|
+
Shutter::Content.const_defined?(:"#{name.upcase.gsub(/\./, "_")}").should == true
|
7
7
|
end
|
8
8
|
end
|
9
9
|
end
|
@@ -61,25 +61,7 @@
|
|
61
61
|
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
62
62
|
-A Private -j DROP
|
63
63
|
-A Public -j RETURN
|
64
|
-
-A ValidCheck -m state --state INVALID -j DropInvalid
|
65
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
|
66
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DropScan
|
67
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DropScan
|
68
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DropScan
|
69
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DropScan
|
70
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DropScan
|
71
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags ACK,URG URG -j DropScan
|
72
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DropScan
|
73
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DropScan
|
74
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DropScan
|
75
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DropScan
|
76
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DropScan
|
77
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DropScan
|
78
|
-
-A ValidCheck -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DropScan
|
79
|
-
-A ValidCheck -p tcp -m tcp --tcp-option 64 -j DropScan
|
80
|
-
-A ValidCheck -p tcp -m tcp --tcp-option 128 -j DropScan
|
81
|
-
-A ValidCheck -p tcp -m tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
82
|
-
-A ValidCheck -p udp -m udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DropDDOS
|
64
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
83
65
|
-A ValidCheck -j RETURN
|
84
66
|
-A fail2ban-SSH -j RETURN
|
85
67
|
COMMIT
|
@@ -0,0 +1,60 @@
|
|
1
|
+
# Generated by iptables-save v1.4.7 on Sat Sep 29 14:34:04 2012
|
2
|
+
*filter
|
3
|
+
:INPUT DROP [0:0]
|
4
|
+
:FORWARD DROP [0:0]
|
5
|
+
:OUTPUT ACCEPT [3763472:853134022]
|
6
|
+
:AllowIP - [0:0]
|
7
|
+
:Allowed - [0:0]
|
8
|
+
:Bastards - [0:0]
|
9
|
+
:Dmz - [0:0]
|
10
|
+
:DropBastards - [0:0]
|
11
|
+
:DropDDOS - [0:0]
|
12
|
+
:DropInvalid - [0:0]
|
13
|
+
:DropJail - [0:0]
|
14
|
+
:DropScan - [0:0]
|
15
|
+
:Jail - [0:0]
|
16
|
+
:Private - [0:0]
|
17
|
+
:Public - [0:0]
|
18
|
+
:ValidCheck - [0:0]
|
19
|
+
:fail2ban-SSH - [0:0]
|
20
|
+
-A INPUT -i lo -j ACCEPT
|
21
|
+
-A INPUT -j Jail
|
22
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
23
|
+
-A INPUT -j ValidCheck
|
24
|
+
-A INPUT -j Dmz
|
25
|
+
-A INPUT -j Bastards
|
26
|
+
-A INPUT -j Public
|
27
|
+
-A INPUT -j AllowIP
|
28
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
29
|
+
-A INPUT -j DROP
|
30
|
+
-A AllowIP -j RETURN
|
31
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
32
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
33
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
34
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
35
|
+
-A Allowed -j Private
|
36
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
37
|
+
-A Allowed -j ACCEPT
|
38
|
+
-A Bastards -j RETURN
|
39
|
+
-A Dmz -i eth0 -j ACCEPT
|
40
|
+
-A Dmz -j RETURN
|
41
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
42
|
+
-A DropBastards -j DROP
|
43
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
44
|
+
-A DropDDOS -j DROP
|
45
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
46
|
+
-A DropInvalid -j DROP
|
47
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
48
|
+
-A DropJail -j DROP
|
49
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
50
|
+
-A DropScan -j DROP
|
51
|
+
-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
|
52
|
+
-A Jail -j RETURN
|
53
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
54
|
+
-A Private -j DROP
|
55
|
+
-A Public -j RETURN
|
56
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
57
|
+
-A ValidCheck -j RETURN
|
58
|
+
-A fail2ban-SSH -j RETURN
|
59
|
+
COMMIT
|
60
|
+
# Completed on Sat Sep 29 14:34:04 2012
|
@@ -0,0 +1,68 @@
|
|
1
|
+
# Generated by iptables-save v1.4.7 on Sat Sep 29 14:34:04 2012
|
2
|
+
*filter
|
3
|
+
:INPUT DROP [0:0]
|
4
|
+
:FORWARD DROP [0:0]
|
5
|
+
:OUTPUT ACCEPT [3763472:853134022]
|
6
|
+
:AllowIP - [0:0]
|
7
|
+
:Allowed - [0:0]
|
8
|
+
:Bastards - [0:0]
|
9
|
+
:Dmz - [0:0]
|
10
|
+
:DropBastards - [0:0]
|
11
|
+
:DropDDOS - [0:0]
|
12
|
+
:DropInvalid - [0:0]
|
13
|
+
:DropJail - [0:0]
|
14
|
+
:DropScan - [0:0]
|
15
|
+
:Jail - [0:0]
|
16
|
+
:Private - [0:0]
|
17
|
+
:Public - [0:0]
|
18
|
+
:ValidCheck - [0:0]
|
19
|
+
:fail2ban-SSH - [0:0]
|
20
|
+
-A INPUT -i lo -j ACCEPT
|
21
|
+
-A INPUT -j Jail
|
22
|
+
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
23
|
+
-A INPUT -j ValidCheck
|
24
|
+
-A INPUT -j Dmz
|
25
|
+
-A INPUT -j Bastards
|
26
|
+
-A INPUT -j Public
|
27
|
+
-A INPUT -j AllowIP
|
28
|
+
-A INPUT ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Block:"
|
29
|
+
-A INPUT -j DROP
|
30
|
+
-A AllowIP -s 192.168.0.0/16 -m state --state NEW -j Allowed
|
31
|
+
-A AllowIP -s 172.16.0.0/12 -m state --state NEW -j Allowed
|
32
|
+
-A AllowIP -s 10.0.0.0/8 -m state --state NEW -j Allowed
|
33
|
+
-A AllowIP -s 129.101.159.128/26 -m state --state NEW -j Allowed
|
34
|
+
-A AllowIP -s 129.101.142.128/26 -m state --state NEW -j Allowed
|
35
|
+
-A AllowIP -s 129.101.170.53/32 -m state --state NEW -j Allowed
|
36
|
+
-A AllowIP -s 129.101.112.0/24 -m state --state NEW -j Allowed
|
37
|
+
-A AllowIP -j RETURN
|
38
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 0 -j ACCEPT
|
39
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 3 -j ACCEPT
|
40
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
41
|
+
-A Allowed -p icmp -m state --state NEW -m icmp --icmp-type 11 -j ACCEPT
|
42
|
+
-A Allowed -j Private
|
43
|
+
-A Allowed ! -d 0.0.0.255/0.0.0.255 -m limit --limit 1/min -j LOG --log-prefix "iptables: Authorized:"
|
44
|
+
-A Allowed -j ACCEPT
|
45
|
+
-A Bastards -j RETURN
|
46
|
+
-A Dmz -i eth0 -j ACCEPT
|
47
|
+
-A Dmz -j RETURN
|
48
|
+
-A DropBastards ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Bastards:"
|
49
|
+
-A DropBastards -j DROP
|
50
|
+
-A DropDDOS ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: DDOS detected:"
|
51
|
+
-A DropDDOS -j DROP
|
52
|
+
-A DropInvalid ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Invalid:"
|
53
|
+
-A DropInvalid -j DROP
|
54
|
+
-A DropJail ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Jail:"
|
55
|
+
-A DropJail -j DROP
|
56
|
+
-A DropScan ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Scan detected:"
|
57
|
+
-A DropScan -j DROP
|
58
|
+
-A Jail -p tcp -m tcp --dport 22 -j fail2ban-SSH
|
59
|
+
-A Jail -j RETURN
|
60
|
+
-A Private -p tcp -m state --state NEW -m tcp --dport 22 -j RETURN
|
61
|
+
-A Private ! -d 0.0.0.255/0.0.0.255 -m limit --limit 3/min -j LOG --log-prefix "iptables: Unauthorized:"
|
62
|
+
-A Private -j DROP
|
63
|
+
-A Public -j RETURN
|
64
|
+
-A ValidCheck -m state --state INVALID -j DropInvalid
|
65
|
+
-A ValidCheck -j RETURN
|
66
|
+
-A fail2ban-SSH -j RETURN
|
67
|
+
COMMIT
|
68
|
+
# Completed on Sat Sep 29 14:34:04 2012
|
data/spec/files_spec.rb
CHANGED
@@ -2,6 +2,16 @@ require File.dirname(__FILE__) + '/spec_helper'
|
|
2
2
|
require 'fileutils'
|
3
3
|
|
4
4
|
describe "Shutter::Files" do
|
5
|
+
before(:each) do
|
6
|
+
FileUtils.mkdir("./tmp")
|
7
|
+
@cmd = Shutter::CommandLine.new("./tmp")
|
8
|
+
end
|
9
|
+
|
10
|
+
after(:each) do
|
11
|
+
FileUtils.rm Dir.glob('./tmp/*')
|
12
|
+
FileUtils.rmdir("./tmp")
|
13
|
+
end
|
14
|
+
|
5
15
|
it "should create the configuration directory if it does not exist" do
|
6
16
|
Shutter::Files.create_config_dir('./tmp/configs')
|
7
17
|
File.directory?('./tmp/configs').should == true
|
@@ -12,11 +22,11 @@ describe "Shutter::Files" do
|
|
12
22
|
expect { Shutter::Files.create_config_dir('./tmp/configs/this') }.to raise_error
|
13
23
|
end
|
14
24
|
|
15
|
-
it "should include the templates for all files" do
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
end
|
25
|
+
# it "should include the templates for all files" do
|
26
|
+
# Shutter::Files::CONFIG_FILES.each do |name|
|
27
|
+
# Shutter::Files.const_defined?(:"#{name.upcase.gsub(/\./, "_")}").should == true
|
28
|
+
# end
|
29
|
+
# end
|
20
30
|
|
21
31
|
it "should create the files in the configuration directory if they do not exist" do
|
22
32
|
Shutter::Files.create_config_dir('./spec/tmp')
|
data/spec/iptables_spec.rb
CHANGED
@@ -53,6 +53,18 @@ describe "Shutter::Firewall::IPTables" do
|
|
53
53
|
}
|
54
54
|
end
|
55
55
|
|
56
|
+
it "should return true if generated rules and iptables-save rules match" do
|
57
|
+
iptables_save = File.read("./spec/files/iptables_save_bare.out")
|
58
|
+
@ipt.stubs(:iptables_save).returns(iptables_save)
|
59
|
+
@ipt.check.should == true
|
60
|
+
end
|
61
|
+
|
62
|
+
it "should return false if generated rules and iptables-save rules don't match" do
|
63
|
+
iptables_save = File.read("./spec/files/iptables_save_extrarules.out")
|
64
|
+
@ipt.stubs(:iptables_save).returns(iptables_save)
|
65
|
+
@ipt.check.should == false
|
66
|
+
end
|
67
|
+
|
56
68
|
it "should return the correct output for generate" do
|
57
69
|
iptables_save = File.read("./spec/files/iptables_save.out")
|
58
70
|
@ipt.stubs(:iptables_save).returns(iptables_save)
|
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
@@ -1,78 +1,90 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: shutter
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
hash: 23
|
5
5
|
prerelease:
|
6
|
+
segments:
|
7
|
+
- 0
|
8
|
+
- 2
|
9
|
+
- 0
|
10
|
+
version: 0.2.0
|
6
11
|
platform: ruby
|
7
|
-
authors:
|
12
|
+
authors:
|
8
13
|
- Rob Lyon
|
9
14
|
autorequire:
|
10
15
|
bindir: bin
|
11
16
|
cert_chain: []
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
+
|
18
|
+
date: 2013-02-03 00:00:00 Z
|
19
|
+
dependencies:
|
20
|
+
- !ruby/object:Gem::Dependency
|
21
|
+
prerelease: false
|
22
|
+
name: rake
|
23
|
+
version_requirements: &id001 !ruby/object:Gem::Requirement
|
17
24
|
none: false
|
18
|
-
requirements:
|
19
|
-
- -
|
20
|
-
- !ruby/object:Gem::Version
|
21
|
-
|
25
|
+
requirements:
|
26
|
+
- - ">="
|
27
|
+
- !ruby/object:Gem::Version
|
28
|
+
hash: 3
|
29
|
+
segments:
|
30
|
+
- 0
|
31
|
+
version: "0"
|
22
32
|
type: :development
|
33
|
+
requirement: *id001
|
34
|
+
- !ruby/object:Gem::Dependency
|
23
35
|
prerelease: false
|
24
|
-
|
36
|
+
name: rspec
|
37
|
+
version_requirements: &id002 !ruby/object:Gem::Requirement
|
25
38
|
none: false
|
26
|
-
requirements:
|
27
|
-
- -
|
28
|
-
- !ruby/object:Gem::Version
|
29
|
-
|
30
|
-
|
39
|
+
requirements:
|
40
|
+
- - ">="
|
41
|
+
- !ruby/object:Gem::Version
|
42
|
+
hash: 3
|
43
|
+
segments:
|
44
|
+
- 0
|
45
|
+
version: "0"
|
46
|
+
type: :development
|
47
|
+
requirement: *id002
|
48
|
+
- !ruby/object:Gem::Dependency
|
49
|
+
prerelease: false
|
31
50
|
name: mocha
|
32
|
-
|
51
|
+
version_requirements: &id003 !ruby/object:Gem::Requirement
|
33
52
|
none: false
|
34
|
-
requirements:
|
35
|
-
- -
|
36
|
-
- !ruby/object:Gem::Version
|
37
|
-
|
53
|
+
requirements:
|
54
|
+
- - ">="
|
55
|
+
- !ruby/object:Gem::Version
|
56
|
+
hash: 3
|
57
|
+
segments:
|
58
|
+
- 0
|
59
|
+
version: "0"
|
38
60
|
type: :development
|
61
|
+
requirement: *id003
|
62
|
+
- !ruby/object:Gem::Dependency
|
39
63
|
prerelease: false
|
40
|
-
version_requirements: !ruby/object:Gem::Requirement
|
41
|
-
none: false
|
42
|
-
requirements:
|
43
|
-
- - ! '>='
|
44
|
-
- !ruby/object:Gem::Version
|
45
|
-
version: '0'
|
46
|
-
- !ruby/object:Gem::Dependency
|
47
64
|
name: simplecov
|
48
|
-
|
65
|
+
version_requirements: &id004 !ruby/object:Gem::Requirement
|
49
66
|
none: false
|
50
|
-
requirements:
|
51
|
-
- -
|
52
|
-
- !ruby/object:Gem::Version
|
53
|
-
|
67
|
+
requirements:
|
68
|
+
- - ">="
|
69
|
+
- !ruby/object:Gem::Version
|
70
|
+
hash: 3
|
71
|
+
segments:
|
72
|
+
- 0
|
73
|
+
version: "0"
|
54
74
|
type: :development
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
requirements:
|
59
|
-
- - ! '>='
|
60
|
-
- !ruby/object:Gem::Version
|
61
|
-
version: '0'
|
62
|
-
description: ! "Shutter is a tool that gives system administrators the ability \n
|
63
|
-
\ to manage iptables firewall settings through simple lists
|
64
|
-
instead \n of complex iptables rules. Please note: This
|
65
|
-
application is currently \n only tested with Red Hat based
|
66
|
-
distributions. Ubuntu and Debian should \n work but are
|
67
|
-
not supported..\n "
|
68
|
-
email:
|
75
|
+
requirement: *id004
|
76
|
+
description: "Shutter is a tool that gives system administrators the ability \n to manage iptables firewall settings through simple lists instead \n of complex iptables rules. Please note: This application is currently \n only tested with Red Hat based distributions. Ubuntu and Debian should \n work but are not supported..\n "
|
77
|
+
email:
|
69
78
|
- nosignsoflifehere@gmail.com
|
70
|
-
executables:
|
79
|
+
executables:
|
71
80
|
- shutter
|
72
81
|
extensions: []
|
82
|
+
|
73
83
|
extra_rdoc_files: []
|
74
|
-
|
84
|
+
|
85
|
+
files:
|
75
86
|
- .gitignore
|
87
|
+
- .travis.yml
|
76
88
|
- Gemfile
|
77
89
|
- LICENSE
|
78
90
|
- README.md
|
@@ -95,37 +107,48 @@ files:
|
|
95
107
|
- spec/files/ip.allow
|
96
108
|
- spec/files/ip.deny
|
97
109
|
- spec/files/iptables_save.out
|
110
|
+
- spec/files/iptables_save_bare.out
|
111
|
+
- spec/files/iptables_save_extrarules.out
|
98
112
|
- spec/files/ports.private
|
99
113
|
- spec/files/ports.public
|
100
114
|
- spec/files_spec.rb
|
101
115
|
- spec/iptables_spec.rb
|
102
116
|
- spec/os_spec.rb
|
103
117
|
- spec/spec_helper.rb
|
104
|
-
homepage:
|
118
|
+
homepage: ""
|
105
119
|
licenses: []
|
120
|
+
|
106
121
|
post_install_message:
|
107
122
|
rdoc_options: []
|
108
|
-
|
123
|
+
|
124
|
+
require_paths:
|
109
125
|
- lib
|
110
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
126
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
111
127
|
none: false
|
112
|
-
requirements:
|
113
|
-
- -
|
114
|
-
- !ruby/object:Gem::Version
|
115
|
-
|
116
|
-
|
128
|
+
requirements:
|
129
|
+
- - ">="
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
hash: 3
|
132
|
+
segments:
|
133
|
+
- 0
|
134
|
+
version: "0"
|
135
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
117
136
|
none: false
|
118
|
-
requirements:
|
119
|
-
- -
|
120
|
-
- !ruby/object:Gem::Version
|
121
|
-
|
137
|
+
requirements:
|
138
|
+
- - ">="
|
139
|
+
- !ruby/object:Gem::Version
|
140
|
+
hash: 3
|
141
|
+
segments:
|
142
|
+
- 0
|
143
|
+
version: "0"
|
122
144
|
requirements: []
|
145
|
+
|
123
146
|
rubyforge_project:
|
124
|
-
rubygems_version: 1.8.
|
147
|
+
rubygems_version: 1.8.25
|
125
148
|
signing_key:
|
126
149
|
specification_version: 3
|
127
150
|
summary: Shutter helps manage iptables firewalls
|
128
|
-
test_files:
|
151
|
+
test_files:
|
129
152
|
- spec/command_line_spec.rb
|
130
153
|
- spec/content_spec.rb
|
131
154
|
- spec/files/base.ipt
|
@@ -134,6 +157,8 @@ test_files:
|
|
134
157
|
- spec/files/ip.allow
|
135
158
|
- spec/files/ip.deny
|
136
159
|
- spec/files/iptables_save.out
|
160
|
+
- spec/files/iptables_save_bare.out
|
161
|
+
- spec/files/iptables_save_extrarules.out
|
137
162
|
- spec/files/ports.private
|
138
163
|
- spec/files/ports.public
|
139
164
|
- spec/files_spec.rb
|