spior 0.1.0 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,90 +1,33 @@
1
1
  require 'nomansland'
2
2
  require 'tty-which'
3
- require_relative 'msg'
4
3
 
5
4
  module Spior
6
5
  class Install
7
-
8
- def self.dependencies
9
- base_packages
10
- mac_update
11
- end
12
-
13
- def self.check_base
14
- base_packages
15
- verify_services
16
- end
17
-
18
- def self.check_mac
19
- pkg_mac
20
- end
21
-
22
- private
23
-
24
- def self.base_packages
25
- if not TTY::Which.exist?('iptables') or not TTY::Which.exist?('tor')
26
- case Nomansland::installer?
27
- when :emerge
28
- system('sudo emerge -av --changed-use tor iptables')
29
- when :pacman
30
- system('sudo pacman -S --needed tor iptables')
31
- when :yum
32
- system('sudo yum install tor iptables')
33
- else
34
- system('sudo apt-get install tor iptables')
35
- end
36
- end
37
- end
38
-
39
- def self.verify_services
40
- if TTY::Which.exist?('systemctl')
41
- system('if ! systemctl is-active tor ; then sudo systemctl start tor ; fi')
42
- end
43
- end
44
-
45
- def self.pkg_mac
46
- pkg_name="deceitmac"
47
- if not TTY::Which.exist?(pkg_name)
48
- build_pkg(pkg_name)
6
+ class << self
7
+ def check_deps
8
+ base_packages
49
9
  end
50
- end
51
-
52
- def self.mac_update
53
- pkg_name="deceitmac"
54
- if TTY::Which.exist?(pkg_name)
55
- print "Target #{pkg_name} exist, update? [N/y] "
56
- choice = gets.chomp
57
- if choice =~ /y|Y/ then
58
- puts "Update #{pkg_name}..."
59
- build_pkg(pkg_name)
60
- end
61
- else
62
- puts "Install #{pkg_name}..."
63
- build_pkg(pkg_name)
64
- end
65
- end
66
10
 
67
- def self.build_pkg(name)
68
- old_path = Dir.pwd
69
- system("rm -rf /tmp/#{name}*")
70
- system("curl -L -o /tmp/#{name}.tar.gz https://github.com/szorfein/#{name}/archive/master.tar.gz")
71
- Dir.chdir("/tmp")
72
- system("tar xvf #{name}.tar.gz")
73
- Dir.chdir("#{name}-master")
74
- system("sudo make install")
75
- if TTY::Which.exist?('systemctl')
76
- if Dir.exist?("/lib/systemd/system")
77
- puts "lib/systemd"
78
- system("sudo cp deceitmac@.service /lib/systemd/system/")
79
- else
80
- puts "/usr/lib/systemd"
81
- system("sudo cp deceitmac@.service /usr/lib/systemd/system/")
11
+ private
12
+
13
+ def base_packages
14
+ if not TTY::Which.exist?('iptables') or not TTY::Which.exist?('tor')
15
+ case Nomansland::installer?
16
+ when :emerge
17
+ emerge = Helpers::Exec.new("emerge -av --changed-use")
18
+ emerge.run("tor iptables")
19
+ when :pacman
20
+ pacman = Helpers::Exec.new("pacman -S --needed")
21
+ pacman.run("tor iptables")
22
+ when :yum
23
+ yum = Helpers::Exec.new("yum install")
24
+ yum.run("tor iptables")
25
+ else
26
+ apt_get = Helpers::Exec.new("apt-get install")
27
+ apt_get.run("tor iptables iptables-persistent")
28
+ end
82
29
  end
83
30
  end
84
- Msg.p "pkg #{name} installed"
85
- Dir.chdir(old_path)
86
- rescue => e
87
- Msg.err e
88
31
  end
89
32
  end
90
33
  end
@@ -1,195 +1,8 @@
1
- require 'interfacez'
2
- require_relative 'tor'
3
- require_relative 'msg'
4
-
5
1
  module Spior
6
- class Iptables
7
-
8
- def self.tor(interface = false)
9
- initialize(interface)
10
- select_cmd
11
- flush_rules
12
- bogus_tcp_flags
13
- bad_packets
14
- spoofing
15
- icmp
16
- dns
17
- nat
18
- input
19
- forward
20
- output
21
- drop_all
22
- end
23
-
24
- def self.flush_rules
25
- select_cmd
26
- ipt "-F"
27
- ipt "-X"
28
- ipt "-t nat -F"
29
- ipt "-t nat -X"
30
- ipt "-t mangle -F"
31
- ipt "-t mangle -X"
32
- end
33
-
34
- private
35
-
36
- def self.initialize(interface)
37
- @lo = Interfacez.loopback
38
- @lo_addr = Interfacez.ipv4_address_of(@lo)
39
- @tor = Spior::Tor.new
40
- @non_tor = ["#{@lo_addr}/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
41
- @incoming = interface
42
- @incoming_addr = Interfacez.ipv4_address_of(@incoming)
43
- end
44
-
45
- def self.check_dep
46
- Spior::Copy::config_files
47
- end
48
-
49
- def self.select_cmd
50
- id=`id -u`
51
- if id == 0 then
52
- @i = "iptables"
53
- else
54
- @i = "sudo iptables"
55
- end
56
- end
57
-
58
- def self.ipt(line)
59
- system("#{@i} #{line}")
60
- #puts "added - #{@i} #{line}"
61
- end
62
-
63
- def self.drop_all
64
- ipt "-P INPUT DROP"
65
- ipt "-P FORWARD DROP"
66
- ipt "-P OUTPUT DROP"
67
- end
68
-
69
- def self.bogus_tcp_flags
70
- puts "bogus"
71
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
72
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
73
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
74
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
75
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
76
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
77
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
78
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
79
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
80
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
81
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
82
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
83
- ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
84
- end
85
-
86
- def self.bad_packets
87
- puts "bad_packets"
88
- # new packet not syn
89
- ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
90
- # fragment packet
91
- ipt "-A INPUT -f -j DROP"
92
- # XMAS
93
- ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
94
- # null packet
95
- ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
96
- end
97
-
98
- def self.spoofing
99
- subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
100
- subs.each do |sub|
101
- ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
102
- end
103
- ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
104
- end
105
-
106
- def self.icmp
107
- puts "icmp"
108
- ipt "-N port-scanning"
109
- ipt "-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN"
110
- ipt "-A port-scanning -j DROP"
111
-
112
- ipt "-N syn_flood"
113
- ipt "-A INPUT -p tcp --syn -j syn_flood"
114
- ipt "-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN"
115
- ipt "-A syn_flood -j DROP"
116
-
117
- ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT"
118
- ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:"
119
- ipt "-A INPUT -p icmp -j DROP"
120
- ipt "-A OUTPUT -p icmp -j ACCEPT"
121
- end
122
-
123
- def self.dns
124
- puts "dns"
125
- ipt "-t nat -A PREROUTING ! -i #{@lo} -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
126
- ipt "-t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
127
- ipt "-t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
128
- end
129
-
130
- def self.nat
131
- puts "nat"
132
- # nat .onion addresses
133
- ipt "-t nat -A OUTPUT -d #{@tor.virt_addr} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
134
-
135
- # Don't nat the Tor process, the loopback, or the local network
136
- ipt "-t nat -A OUTPUT -m owner --uid-owner #{@tor.uid} -j RETURN"
137
- ipt "-t nat -A OUTPUT -o #{@lo} -j RETURN"
138
-
139
- # Allow lan access for hosts in $non_tor
140
- @non_tor.each do |lan|
141
- ipt "-t nat -A OUTPUT -d #{lan} -j RETURN"
142
- end
143
-
144
- # Redirects all other pre-routing and output to Tor's TransPort
145
- ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
146
-
147
- # Redirects all other pre-routing and output to Tor's TransPort
148
- ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
149
- end
150
-
151
- def self.input
152
- puts "input"
153
- ipt "-A INPUT -i #{@incoming} -p tcp -s #{@incoming_addr} --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
154
-
155
- # Allow loopback, rules
156
- ipt "-A INPUT -m state --state ESTABLISHED -j ACCEPT"
157
- ipt "-A INPUT -i #{@lo} -j ACCEPT"
158
-
159
- # Allow DNS lookups from connected clients and internet access through tor.
160
- ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
161
- ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
162
-
163
- # Default
164
- ipt "-A INPUT -j DROP"
165
- end
166
-
167
- def self.output
168
- puts "output"
169
- ipt "-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
170
- ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
171
- ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
172
-
173
- # output
174
- ipt "-A OUTPUT -m owner --uid-owner #{@tor.uid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT"
175
-
176
- # Accept, allow loopback output
177
- ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
178
- ipt "-A OUTPUT -d #{@lo_addr}/32 -o #{@lo} -j ACCEPT"
179
-
180
- # tor transparent magic
181
- ipt "-A OUTPUT -d #{@lo_addr}/32 -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
182
-
183
- ipt "-A OUTPUT -j DROP"
184
- end
185
-
186
- def self.forward
187
- puts "forward"
188
- ipt "-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
189
- ipt "-A FORWARD -m conntrack --ctstate INVALID -j DROP"
190
- ipt "-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
191
- ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j LOG --log-prefix \"SPOOFED PKT \""
192
- ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j DROP"
193
- end
2
+ module Iptables
194
3
  end
195
4
  end
5
+
6
+ require_relative 'iptables/root'
7
+ require_relative 'iptables/tor'
8
+ require_relative 'iptables/default'
@@ -0,0 +1,38 @@
1
+ module Spior
2
+ module Iptables
3
+ class Default < Iptables::Root
4
+ private
5
+
6
+ def input
7
+ # SSH
8
+ ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
9
+ # Allow loopback, rules
10
+ ipt "-A INPUT -i #{@lo} -j ACCEPT"
11
+ # Accept related
12
+ ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
13
+ end
14
+
15
+ def output
16
+ ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
17
+ ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
18
+
19
+ # Allow SSH
20
+ ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
21
+
22
+ # Allow Loopback
23
+ ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
24
+
25
+ # Default
26
+ ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
27
+ end
28
+
29
+ def all
30
+ ipt "-t filter -A OUTPUT -p udp -j ACCEPT"
31
+ ipt "-t filter -A OUTPUT -p icmp -j REJECT"
32
+ ipt "-P INPUT ACCEPT"
33
+ ipt "-P FORWARD ACCEPT"
34
+ ipt "-P OUTPUT ACCEPT"
35
+ end
36
+ end
37
+ end
38
+ end
@@ -0,0 +1,92 @@
1
+ require 'interfacez'
2
+
3
+ module Spior
4
+ module Iptables
5
+ class Root
6
+ def initialize
7
+ @lo = Interfacez.loopback
8
+ @lo_addr = Interfacez.ipv4_address_of(@lo)
9
+ @i = Helpers::Exec.new("iptables")
10
+ Spior::Copy.new.save
11
+ end
12
+
13
+ def run!
14
+ bogus_tcp_flags
15
+ bad_packets
16
+ spoofing
17
+ redirect
18
+ input
19
+ output
20
+ all
21
+ end
22
+
23
+ def restart!
24
+ stop!
25
+ run!
26
+ end
27
+
28
+ def stop!
29
+ ipt "-F"
30
+ ipt "-X"
31
+ ipt "-t nat -F"
32
+ ipt "-t nat -X"
33
+ ipt "-t mangle -F"
34
+ ipt "-t mangle -X"
35
+ end
36
+
37
+ private
38
+
39
+ def ipt(line)
40
+ @i.run("#{line}")
41
+ puts "added - #{@i} #{line}"
42
+ end
43
+
44
+ def redirect
45
+ end
46
+
47
+ def input
48
+ end
49
+
50
+ def output
51
+ end
52
+
53
+ def all
54
+ end
55
+
56
+ def bogus_tcp_flags
57
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
58
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
59
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
60
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
61
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
62
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
63
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
64
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
65
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
66
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
67
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
68
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
69
+ ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
70
+ end
71
+
72
+ def bad_packets
73
+ # new packet not syn
74
+ ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
75
+ # fragment packet
76
+ ipt "-A INPUT -f -j DROP"
77
+ # XMAS
78
+ ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
79
+ # null packet
80
+ ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
81
+ end
82
+
83
+ def spoofing
84
+ subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
85
+ subs.each do |sub|
86
+ ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
87
+ end
88
+ ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
89
+ end
90
+ end
91
+ end
92
+ end
@@ -0,0 +1,64 @@
1
+ module Spior
2
+ module Iptables
3
+ class Tor < Iptables::Root
4
+ def initialize
5
+ super
6
+ @tor = Spior::Tor::Info.new
7
+ @non_tor = ["#{@lo_addr}/8", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
8
+ @tables = ["nat", "filter"]
9
+ end
10
+
11
+ private
12
+
13
+ def redirect
14
+ @tables.each { |table|
15
+ target = "ACCEPT"
16
+ target = "RETURN" if table == "nat"
17
+
18
+ ipt "-t #{table} -F OUTPUT"
19
+ ipt "-t #{table} -A OUTPUT -m state --state ESTABLISHED -j #{target}"
20
+ ipt "-t #{table} -A OUTPUT -m owner --uid #{@tor.uid} -j #{target}"
21
+
22
+ match_dns_port = @tor.dns
23
+ if table == "nat"
24
+ target = "REDIRECT --to-ports #{@tor.dns}"
25
+ match_dns_port = "53"
26
+ end
27
+
28
+ ipt "-t #{table} -A OUTPUT -p udp --dport #{match_dns_port} -j #{target}"
29
+ ipt "-t #{table} -A OUTPUT -p tcp --dport #{match_dns_port} -j #{target}"
30
+
31
+ target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
32
+ ipt "-t #{table} -A OUTPUT -d #{@tor.virt_addr} -p tcp -j #{target}"
33
+
34
+ target = "RETURN" if table == "nat"
35
+ @non_tor.each { |ip|
36
+ ipt "-t #{table} -A OUTPUT -d #{ip} -j #{target}"
37
+ }
38
+
39
+ target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
40
+ ipt "-t #{table} -A OUTPUT -p tcp -j #{target}"
41
+ }
42
+ end
43
+
44
+ def input
45
+ # SSH
46
+ ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
47
+ # Allow loopback
48
+ ipt "-A INPUT -i #{@lo} -j ACCEPT"
49
+ # Allow DNS lookups from connected clients and internet access through tor.
50
+ ipt "-A INPUT -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
51
+ # Accept related
52
+ ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
53
+ end
54
+
55
+ def all
56
+ ipt "-t filter -A OUTPUT -p udp -j REJECT"
57
+ ipt "-t filter -A OUTPUT -p icmp -j REJECT"
58
+ ipt "-P INPUT DROP"
59
+ ipt "-P FORWARD DROP"
60
+ ipt "-P OUTPUT DROP"
61
+ end
62
+ end
63
+ end
64
+ end