spior 0.1.0 → 0.1.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGELOG.md +32 -0
- data/README.md +11 -8
- data/Rakefile +20 -0
- data/bin/spior +2 -3
- data/{conf → ext}/ipt_mod.conf +0 -0
- data/{conf → ext}/iptables.service +0 -0
- data/lib/spior.rb +42 -0
- data/lib/spior/clear.rb +14 -18
- data/lib/spior/copy.rb +57 -75
- data/lib/spior/helpers.rb +118 -0
- data/lib/spior/install.rb +21 -78
- data/lib/spior/iptables.rb +5 -192
- data/lib/spior/iptables/default.rb +38 -0
- data/lib/spior/iptables/root.rb +92 -0
- data/lib/spior/iptables/tor.rb +64 -0
- data/lib/spior/menu.rb +43 -0
- data/lib/spior/msg.rb +12 -5
- data/lib/spior/network.rb +0 -1
- data/lib/spior/options.rb +13 -19
- data/lib/spior/persist.rb +33 -21
- data/lib/spior/status.rb +30 -12
- data/lib/spior/tor.rb +4 -38
- data/lib/spior/tor/info.rb +113 -0
- data/lib/spior/{reload.rb → tor/restart.rb} +4 -4
- data/lib/spior/version.rb +3 -0
- data/spior.gemspec +19 -13
- metadata +21 -20
- metadata.gz.sig +0 -0
- data/conf/resolv.conf +0 -1
- data/conf/ssh.conf +0 -29
- data/conf/sshd.conf +0 -46
- data/conf/sshuttle.service +0 -11
- data/conf/torrc/torrc_archlinux +0 -18
- data/conf/torrc/torrc_default +0 -20
- data/lib/spior/mac.rb +0 -11
- data/lib/spior/runner.rb +0 -48
data/lib/spior/install.rb
CHANGED
@@ -1,90 +1,33 @@
|
|
1
1
|
require 'nomansland'
|
2
2
|
require 'tty-which'
|
3
|
-
require_relative 'msg'
|
4
3
|
|
5
4
|
module Spior
|
6
5
|
class Install
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
mac_update
|
11
|
-
end
|
12
|
-
|
13
|
-
def self.check_base
|
14
|
-
base_packages
|
15
|
-
verify_services
|
16
|
-
end
|
17
|
-
|
18
|
-
def self.check_mac
|
19
|
-
pkg_mac
|
20
|
-
end
|
21
|
-
|
22
|
-
private
|
23
|
-
|
24
|
-
def self.base_packages
|
25
|
-
if not TTY::Which.exist?('iptables') or not TTY::Which.exist?('tor')
|
26
|
-
case Nomansland::installer?
|
27
|
-
when :emerge
|
28
|
-
system('sudo emerge -av --changed-use tor iptables')
|
29
|
-
when :pacman
|
30
|
-
system('sudo pacman -S --needed tor iptables')
|
31
|
-
when :yum
|
32
|
-
system('sudo yum install tor iptables')
|
33
|
-
else
|
34
|
-
system('sudo apt-get install tor iptables')
|
35
|
-
end
|
36
|
-
end
|
37
|
-
end
|
38
|
-
|
39
|
-
def self.verify_services
|
40
|
-
if TTY::Which.exist?('systemctl')
|
41
|
-
system('if ! systemctl is-active tor ; then sudo systemctl start tor ; fi')
|
42
|
-
end
|
43
|
-
end
|
44
|
-
|
45
|
-
def self.pkg_mac
|
46
|
-
pkg_name="deceitmac"
|
47
|
-
if not TTY::Which.exist?(pkg_name)
|
48
|
-
build_pkg(pkg_name)
|
6
|
+
class << self
|
7
|
+
def check_deps
|
8
|
+
base_packages
|
49
9
|
end
|
50
|
-
end
|
51
|
-
|
52
|
-
def self.mac_update
|
53
|
-
pkg_name="deceitmac"
|
54
|
-
if TTY::Which.exist?(pkg_name)
|
55
|
-
print "Target #{pkg_name} exist, update? [N/y] "
|
56
|
-
choice = gets.chomp
|
57
|
-
if choice =~ /y|Y/ then
|
58
|
-
puts "Update #{pkg_name}..."
|
59
|
-
build_pkg(pkg_name)
|
60
|
-
end
|
61
|
-
else
|
62
|
-
puts "Install #{pkg_name}..."
|
63
|
-
build_pkg(pkg_name)
|
64
|
-
end
|
65
|
-
end
|
66
10
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
11
|
+
private
|
12
|
+
|
13
|
+
def base_packages
|
14
|
+
if not TTY::Which.exist?('iptables') or not TTY::Which.exist?('tor')
|
15
|
+
case Nomansland::installer?
|
16
|
+
when :emerge
|
17
|
+
emerge = Helpers::Exec.new("emerge -av --changed-use")
|
18
|
+
emerge.run("tor iptables")
|
19
|
+
when :pacman
|
20
|
+
pacman = Helpers::Exec.new("pacman -S --needed")
|
21
|
+
pacman.run("tor iptables")
|
22
|
+
when :yum
|
23
|
+
yum = Helpers::Exec.new("yum install")
|
24
|
+
yum.run("tor iptables")
|
25
|
+
else
|
26
|
+
apt_get = Helpers::Exec.new("apt-get install")
|
27
|
+
apt_get.run("tor iptables iptables-persistent")
|
28
|
+
end
|
82
29
|
end
|
83
30
|
end
|
84
|
-
Msg.p "pkg #{name} installed"
|
85
|
-
Dir.chdir(old_path)
|
86
|
-
rescue => e
|
87
|
-
Msg.err e
|
88
31
|
end
|
89
32
|
end
|
90
33
|
end
|
data/lib/spior/iptables.rb
CHANGED
@@ -1,195 +1,8 @@
|
|
1
|
-
require 'interfacez'
|
2
|
-
require_relative 'tor'
|
3
|
-
require_relative 'msg'
|
4
|
-
|
5
1
|
module Spior
|
6
|
-
|
7
|
-
|
8
|
-
def self.tor(interface = false)
|
9
|
-
initialize(interface)
|
10
|
-
select_cmd
|
11
|
-
flush_rules
|
12
|
-
bogus_tcp_flags
|
13
|
-
bad_packets
|
14
|
-
spoofing
|
15
|
-
icmp
|
16
|
-
dns
|
17
|
-
nat
|
18
|
-
input
|
19
|
-
forward
|
20
|
-
output
|
21
|
-
drop_all
|
22
|
-
end
|
23
|
-
|
24
|
-
def self.flush_rules
|
25
|
-
select_cmd
|
26
|
-
ipt "-F"
|
27
|
-
ipt "-X"
|
28
|
-
ipt "-t nat -F"
|
29
|
-
ipt "-t nat -X"
|
30
|
-
ipt "-t mangle -F"
|
31
|
-
ipt "-t mangle -X"
|
32
|
-
end
|
33
|
-
|
34
|
-
private
|
35
|
-
|
36
|
-
def self.initialize(interface)
|
37
|
-
@lo = Interfacez.loopback
|
38
|
-
@lo_addr = Interfacez.ipv4_address_of(@lo)
|
39
|
-
@tor = Spior::Tor.new
|
40
|
-
@non_tor = ["#{@lo_addr}/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
41
|
-
@incoming = interface
|
42
|
-
@incoming_addr = Interfacez.ipv4_address_of(@incoming)
|
43
|
-
end
|
44
|
-
|
45
|
-
def self.check_dep
|
46
|
-
Spior::Copy::config_files
|
47
|
-
end
|
48
|
-
|
49
|
-
def self.select_cmd
|
50
|
-
id=`id -u`
|
51
|
-
if id == 0 then
|
52
|
-
@i = "iptables"
|
53
|
-
else
|
54
|
-
@i = "sudo iptables"
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
|
-
def self.ipt(line)
|
59
|
-
system("#{@i} #{line}")
|
60
|
-
#puts "added - #{@i} #{line}"
|
61
|
-
end
|
62
|
-
|
63
|
-
def self.drop_all
|
64
|
-
ipt "-P INPUT DROP"
|
65
|
-
ipt "-P FORWARD DROP"
|
66
|
-
ipt "-P OUTPUT DROP"
|
67
|
-
end
|
68
|
-
|
69
|
-
def self.bogus_tcp_flags
|
70
|
-
puts "bogus"
|
71
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
|
72
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
|
73
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
|
74
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
|
75
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
|
76
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
|
77
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
|
78
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
|
79
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
|
80
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
|
81
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
|
82
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
|
83
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
|
84
|
-
end
|
85
|
-
|
86
|
-
def self.bad_packets
|
87
|
-
puts "bad_packets"
|
88
|
-
# new packet not syn
|
89
|
-
ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
|
90
|
-
# fragment packet
|
91
|
-
ipt "-A INPUT -f -j DROP"
|
92
|
-
# XMAS
|
93
|
-
ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
|
94
|
-
# null packet
|
95
|
-
ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
|
96
|
-
end
|
97
|
-
|
98
|
-
def self.spoofing
|
99
|
-
subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
|
100
|
-
subs.each do |sub|
|
101
|
-
ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
|
102
|
-
end
|
103
|
-
ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
|
104
|
-
end
|
105
|
-
|
106
|
-
def self.icmp
|
107
|
-
puts "icmp"
|
108
|
-
ipt "-N port-scanning"
|
109
|
-
ipt "-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN"
|
110
|
-
ipt "-A port-scanning -j DROP"
|
111
|
-
|
112
|
-
ipt "-N syn_flood"
|
113
|
-
ipt "-A INPUT -p tcp --syn -j syn_flood"
|
114
|
-
ipt "-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN"
|
115
|
-
ipt "-A syn_flood -j DROP"
|
116
|
-
|
117
|
-
ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT"
|
118
|
-
ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:"
|
119
|
-
ipt "-A INPUT -p icmp -j DROP"
|
120
|
-
ipt "-A OUTPUT -p icmp -j ACCEPT"
|
121
|
-
end
|
122
|
-
|
123
|
-
def self.dns
|
124
|
-
puts "dns"
|
125
|
-
ipt "-t nat -A PREROUTING ! -i #{@lo} -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
126
|
-
ipt "-t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
127
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
128
|
-
end
|
129
|
-
|
130
|
-
def self.nat
|
131
|
-
puts "nat"
|
132
|
-
# nat .onion addresses
|
133
|
-
ipt "-t nat -A OUTPUT -d #{@tor.virt_addr} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
134
|
-
|
135
|
-
# Don't nat the Tor process, the loopback, or the local network
|
136
|
-
ipt "-t nat -A OUTPUT -m owner --uid-owner #{@tor.uid} -j RETURN"
|
137
|
-
ipt "-t nat -A OUTPUT -o #{@lo} -j RETURN"
|
138
|
-
|
139
|
-
# Allow lan access for hosts in $non_tor
|
140
|
-
@non_tor.each do |lan|
|
141
|
-
ipt "-t nat -A OUTPUT -d #{lan} -j RETURN"
|
142
|
-
end
|
143
|
-
|
144
|
-
# Redirects all other pre-routing and output to Tor's TransPort
|
145
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
146
|
-
|
147
|
-
# Redirects all other pre-routing and output to Tor's TransPort
|
148
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
149
|
-
end
|
150
|
-
|
151
|
-
def self.input
|
152
|
-
puts "input"
|
153
|
-
ipt "-A INPUT -i #{@incoming} -p tcp -s #{@incoming_addr} --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
154
|
-
|
155
|
-
# Allow loopback, rules
|
156
|
-
ipt "-A INPUT -m state --state ESTABLISHED -j ACCEPT"
|
157
|
-
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
158
|
-
|
159
|
-
# Allow DNS lookups from connected clients and internet access through tor.
|
160
|
-
ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
|
161
|
-
ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
|
162
|
-
|
163
|
-
# Default
|
164
|
-
ipt "-A INPUT -j DROP"
|
165
|
-
end
|
166
|
-
|
167
|
-
def self.output
|
168
|
-
puts "output"
|
169
|
-
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
|
170
|
-
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
|
171
|
-
ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
|
172
|
-
|
173
|
-
# output
|
174
|
-
ipt "-A OUTPUT -m owner --uid-owner #{@tor.uid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT"
|
175
|
-
|
176
|
-
# Accept, allow loopback output
|
177
|
-
ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
178
|
-
ipt "-A OUTPUT -d #{@lo_addr}/32 -o #{@lo} -j ACCEPT"
|
179
|
-
|
180
|
-
# tor transparent magic
|
181
|
-
ipt "-A OUTPUT -d #{@lo_addr}/32 -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
|
182
|
-
|
183
|
-
ipt "-A OUTPUT -j DROP"
|
184
|
-
end
|
185
|
-
|
186
|
-
def self.forward
|
187
|
-
puts "forward"
|
188
|
-
ipt "-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
|
189
|
-
ipt "-A FORWARD -m conntrack --ctstate INVALID -j DROP"
|
190
|
-
ipt "-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
191
|
-
ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j LOG --log-prefix \"SPOOFED PKT \""
|
192
|
-
ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j DROP"
|
193
|
-
end
|
2
|
+
module Iptables
|
194
3
|
end
|
195
4
|
end
|
5
|
+
|
6
|
+
require_relative 'iptables/root'
|
7
|
+
require_relative 'iptables/tor'
|
8
|
+
require_relative 'iptables/default'
|
@@ -0,0 +1,38 @@
|
|
1
|
+
module Spior
|
2
|
+
module Iptables
|
3
|
+
class Default < Iptables::Root
|
4
|
+
private
|
5
|
+
|
6
|
+
def input
|
7
|
+
# SSH
|
8
|
+
ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
9
|
+
# Allow loopback, rules
|
10
|
+
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
11
|
+
# Accept related
|
12
|
+
ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
13
|
+
end
|
14
|
+
|
15
|
+
def output
|
16
|
+
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
|
17
|
+
ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
|
18
|
+
|
19
|
+
# Allow SSH
|
20
|
+
ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
21
|
+
|
22
|
+
# Allow Loopback
|
23
|
+
ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
|
24
|
+
|
25
|
+
# Default
|
26
|
+
ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
|
27
|
+
end
|
28
|
+
|
29
|
+
def all
|
30
|
+
ipt "-t filter -A OUTPUT -p udp -j ACCEPT"
|
31
|
+
ipt "-t filter -A OUTPUT -p icmp -j REJECT"
|
32
|
+
ipt "-P INPUT ACCEPT"
|
33
|
+
ipt "-P FORWARD ACCEPT"
|
34
|
+
ipt "-P OUTPUT ACCEPT"
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
require 'interfacez'
|
2
|
+
|
3
|
+
module Spior
|
4
|
+
module Iptables
|
5
|
+
class Root
|
6
|
+
def initialize
|
7
|
+
@lo = Interfacez.loopback
|
8
|
+
@lo_addr = Interfacez.ipv4_address_of(@lo)
|
9
|
+
@i = Helpers::Exec.new("iptables")
|
10
|
+
Spior::Copy.new.save
|
11
|
+
end
|
12
|
+
|
13
|
+
def run!
|
14
|
+
bogus_tcp_flags
|
15
|
+
bad_packets
|
16
|
+
spoofing
|
17
|
+
redirect
|
18
|
+
input
|
19
|
+
output
|
20
|
+
all
|
21
|
+
end
|
22
|
+
|
23
|
+
def restart!
|
24
|
+
stop!
|
25
|
+
run!
|
26
|
+
end
|
27
|
+
|
28
|
+
def stop!
|
29
|
+
ipt "-F"
|
30
|
+
ipt "-X"
|
31
|
+
ipt "-t nat -F"
|
32
|
+
ipt "-t nat -X"
|
33
|
+
ipt "-t mangle -F"
|
34
|
+
ipt "-t mangle -X"
|
35
|
+
end
|
36
|
+
|
37
|
+
private
|
38
|
+
|
39
|
+
def ipt(line)
|
40
|
+
@i.run("#{line}")
|
41
|
+
puts "added - #{@i} #{line}"
|
42
|
+
end
|
43
|
+
|
44
|
+
def redirect
|
45
|
+
end
|
46
|
+
|
47
|
+
def input
|
48
|
+
end
|
49
|
+
|
50
|
+
def output
|
51
|
+
end
|
52
|
+
|
53
|
+
def all
|
54
|
+
end
|
55
|
+
|
56
|
+
def bogus_tcp_flags
|
57
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
|
58
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
|
59
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
|
60
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
|
61
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
|
62
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
|
63
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
|
64
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
|
65
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
|
66
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
|
67
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
|
68
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
|
69
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
|
70
|
+
end
|
71
|
+
|
72
|
+
def bad_packets
|
73
|
+
# new packet not syn
|
74
|
+
ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
|
75
|
+
# fragment packet
|
76
|
+
ipt "-A INPUT -f -j DROP"
|
77
|
+
# XMAS
|
78
|
+
ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
|
79
|
+
# null packet
|
80
|
+
ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
|
81
|
+
end
|
82
|
+
|
83
|
+
def spoofing
|
84
|
+
subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
|
85
|
+
subs.each do |sub|
|
86
|
+
ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
|
87
|
+
end
|
88
|
+
ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
@@ -0,0 +1,64 @@
|
|
1
|
+
module Spior
|
2
|
+
module Iptables
|
3
|
+
class Tor < Iptables::Root
|
4
|
+
def initialize
|
5
|
+
super
|
6
|
+
@tor = Spior::Tor::Info.new
|
7
|
+
@non_tor = ["#{@lo_addr}/8", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
|
8
|
+
@tables = ["nat", "filter"]
|
9
|
+
end
|
10
|
+
|
11
|
+
private
|
12
|
+
|
13
|
+
def redirect
|
14
|
+
@tables.each { |table|
|
15
|
+
target = "ACCEPT"
|
16
|
+
target = "RETURN" if table == "nat"
|
17
|
+
|
18
|
+
ipt "-t #{table} -F OUTPUT"
|
19
|
+
ipt "-t #{table} -A OUTPUT -m state --state ESTABLISHED -j #{target}"
|
20
|
+
ipt "-t #{table} -A OUTPUT -m owner --uid #{@tor.uid} -j #{target}"
|
21
|
+
|
22
|
+
match_dns_port = @tor.dns
|
23
|
+
if table == "nat"
|
24
|
+
target = "REDIRECT --to-ports #{@tor.dns}"
|
25
|
+
match_dns_port = "53"
|
26
|
+
end
|
27
|
+
|
28
|
+
ipt "-t #{table} -A OUTPUT -p udp --dport #{match_dns_port} -j #{target}"
|
29
|
+
ipt "-t #{table} -A OUTPUT -p tcp --dport #{match_dns_port} -j #{target}"
|
30
|
+
|
31
|
+
target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
|
32
|
+
ipt "-t #{table} -A OUTPUT -d #{@tor.virt_addr} -p tcp -j #{target}"
|
33
|
+
|
34
|
+
target = "RETURN" if table == "nat"
|
35
|
+
@non_tor.each { |ip|
|
36
|
+
ipt "-t #{table} -A OUTPUT -d #{ip} -j #{target}"
|
37
|
+
}
|
38
|
+
|
39
|
+
target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
|
40
|
+
ipt "-t #{table} -A OUTPUT -p tcp -j #{target}"
|
41
|
+
}
|
42
|
+
end
|
43
|
+
|
44
|
+
def input
|
45
|
+
# SSH
|
46
|
+
ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
47
|
+
# Allow loopback
|
48
|
+
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
49
|
+
# Allow DNS lookups from connected clients and internet access through tor.
|
50
|
+
ipt "-A INPUT -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
|
51
|
+
# Accept related
|
52
|
+
ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
53
|
+
end
|
54
|
+
|
55
|
+
def all
|
56
|
+
ipt "-t filter -A OUTPUT -p udp -j REJECT"
|
57
|
+
ipt "-t filter -A OUTPUT -p icmp -j REJECT"
|
58
|
+
ipt "-P INPUT DROP"
|
59
|
+
ipt "-P FORWARD DROP"
|
60
|
+
ipt "-P OUTPUT DROP"
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|