spior 0.1.0 → 0.1.5

data/lib/spior/install.rb

@@ -1,90 +1,33 @@
 require 'nomansland'
 require 'tty-which'
-require_relative 'msg'
 
 module Spior
   class Install
-
-    def self.dependencies
-      base_packages
-      mac_update
-    end
-
-    def self.check_base
-      base_packages
-      verify_services
-    end
-
-    def self.check_mac
-      pkg_mac
-    end
-
-    private
-
-    def self.base_packages
-      if not TTY::Which.exist?('iptables') or not TTY::Which.exist?('tor')
-        case Nomansland::installer?
-        when :emerge
-          system('sudo emerge -av --changed-use tor iptables')
-        when :pacman
-          system('sudo pacman -S --needed tor iptables')
-        when :yum
-          system('sudo yum install tor iptables')
-        else
-          system('sudo apt-get install tor iptables')
-        end
-      end
-    end
-
-    def self.verify_services
-      if TTY::Which.exist?('systemctl')
-        system('if ! systemctl is-active tor ; then sudo systemctl start tor ; fi')
-      end
-    end
-
-    def self.pkg_mac
-      pkg_name="deceitmac"
-      if not TTY::Which.exist?(pkg_name)
-        build_pkg(pkg_name)
+    class << self
+      def check_deps
+        base_packages
       end
-    end
-
-    def self.mac_update
-      pkg_name="deceitmac"
-      if TTY::Which.exist?(pkg_name)
-        print "Target #{pkg_name} exist, update? [N/y] "
-        choice = gets.chomp
-        if choice =~ /y|Y/ then
-          puts "Update #{pkg_name}..."
-          build_pkg(pkg_name)
-        end
-      else
-        puts "Install #{pkg_name}..."
-        build_pkg(pkg_name)
-      end
-    end
 
-    def self.build_pkg(name)
-      old_path = Dir.pwd
-      system("rm -rf /tmp/#{name}*")
-      system("curl -L -o /tmp/#{name}.tar.gz https://github.com/szorfein/#{name}/archive/master.tar.gz")
-      Dir.chdir("/tmp")
-      system("tar xvf #{name}.tar.gz")
-      Dir.chdir("#{name}-master")
-      system("sudo make install")
-      if TTY::Which.exist?('systemctl')
-        if Dir.exist?("/lib/systemd/system")
-          puts "lib/systemd"
-          system("sudo cp deceitmac@.service /lib/systemd/system/")
-        else
-          puts "/usr/lib/systemd"
-          system("sudo cp deceitmac@.service /usr/lib/systemd/system/")
+      private
+
+      def base_packages
+        if not TTY::Which.exist?('iptables') or not TTY::Which.exist?('tor')
+          case Nomansland::installer?
+          when :emerge
+            emerge = Helpers::Exec.new("emerge -av --changed-use")
+            emerge.run("tor iptables")
+          when :pacman
+            pacman = Helpers::Exec.new("pacman -S --needed")
+            pacman.run("tor iptables")
+          when :yum
+            yum = Helpers::Exec.new("yum install")
+            yum.run("tor iptables")
+          else
+            apt_get = Helpers::Exec.new("apt-get install")
+            apt_get.run("tor iptables iptables-persistent")
+          end
         end
       end
-      Msg.p "pkg #{name} installed"
-      Dir.chdir(old_path)
-    rescue => e
-      Msg.err e
     end
   end
 end

data/lib/spior/iptables.rb

@@ -1,195 +1,8 @@
-require 'interfacez'
-require_relative 'tor'
-require_relative 'msg'
-
 module Spior
-  class Iptables
-
-    def self.tor(interface = false)
-      initialize(interface)
-      select_cmd
-      flush_rules
-      bogus_tcp_flags
-      bad_packets
-      spoofing
-      icmp
-      dns
-      nat
-      input
-      forward
-      output
-      drop_all
-    end
-
-    def self.flush_rules
-      select_cmd
-      ipt "-F"
-      ipt "-X"
-      ipt "-t nat -F"
-      ipt "-t nat -X"
-      ipt "-t mangle -F"
-      ipt "-t mangle -X"
-    end
-
-    private
-
-    def self.initialize(interface)
-      @lo = Interfacez.loopback
-      @lo_addr = Interfacez.ipv4_address_of(@lo)
-      @tor = Spior::Tor.new
-      @non_tor = ["#{@lo_addr}/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-      @incoming = interface
-      @incoming_addr = Interfacez.ipv4_address_of(@incoming)
-    end
-
-    def self.check_dep
-      Spior::Copy::config_files
-    end
-
-    def self.select_cmd
-      id=`id -u`
-      if id == 0 then
-        @i = "iptables"
-      else
-        @i = "sudo iptables"
-      end
-    end
-
-    def self.ipt(line)
-      system("#{@i} #{line}")
-      #puts "added - #{@i} #{line}"
-    end
-
-    def self.drop_all
-      ipt "-P INPUT DROP"
-      ipt "-P FORWARD DROP"
-      ipt "-P OUTPUT DROP"
-    end
-
-    def self.bogus_tcp_flags
-      puts "bogus"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
-    end
-
-    def self.bad_packets
-      puts "bad_packets"
-      # new packet not syn
-      ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
-      # fragment  packet
-      ipt "-A INPUT -f -j DROP"
-      # XMAS
-      ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
-      # null packet
-      ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
-    end
-
-    def self.spoofing
-      subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
-      subs.each do |sub|
-        ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
-      end
-      ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
-    end
-
-    def self.icmp
-      puts "icmp"
-      ipt "-N port-scanning"
-      ipt "-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN"
-      ipt "-A port-scanning -j DROP"
-
-      ipt "-N syn_flood"
-      ipt "-A INPUT -p tcp --syn -j syn_flood"
-      ipt "-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN"
-      ipt "-A syn_flood -j DROP"
-
-      ipt "-A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT"
-      ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:"
-      ipt "-A INPUT -p icmp -j DROP"
-      ipt "-A OUTPUT -p icmp -j ACCEPT"
-    end
-
-    def self.dns
-      puts "dns"
-      ipt "-t nat -A PREROUTING ! -i #{@lo} -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-      ipt "-t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-    end
-
-    def self.nat
-      puts "nat"
-      # nat .onion addresses
-      ipt "-t nat -A OUTPUT -d #{@tor.virt_addr} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-              
-      # Don't nat the Tor process, the loopback, or the local network
-      ipt "-t nat -A OUTPUT -m owner --uid-owner #{@tor.uid} -j RETURN"
-      ipt "-t nat -A OUTPUT -o #{@lo} -j RETURN"
-              
-      # Allow lan access for hosts in $non_tor
-      @non_tor.each do |lan|
-        ipt "-t nat -A OUTPUT -d #{lan} -j RETURN"
-      end
-
-      # Redirects all other pre-routing and output to Tor's TransPort
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-
-      # Redirects all other pre-routing and output to Tor's TransPort
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-    end
-
-    def self.input
-      puts "input"
-      ipt "-A INPUT -i #{@incoming} -p tcp -s #{@incoming_addr} --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
-
-      # Allow loopback, rules
-      ipt "-A INPUT -m state --state ESTABLISHED -j ACCEPT"
-      ipt "-A INPUT -i #{@lo} -j ACCEPT"
-      
-      # Allow DNS lookups from connected clients and internet access through tor.
-      ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
-      ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
-      
-      # Default
-      ipt "-A INPUT -j DROP"
-    end
-
-    def self.output
-      puts "output"
-      ipt "-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
-      ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
-      ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
-
-      # output
-      ipt "-A OUTPUT -m owner --uid-owner #{@tor.uid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT"
-
-      # Accept, allow loopback output
-      ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
-      ipt "-A OUTPUT -d #{@lo_addr}/32 -o #{@lo} -j ACCEPT"
-
-      # tor transparent magic
-      ipt "-A OUTPUT -d #{@lo_addr}/32 -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
-
-      ipt "-A OUTPUT -j DROP"
-    end
-
-    def self.forward
-      puts "forward"
-      ipt "-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
-      ipt "-A FORWARD -m conntrack --ctstate INVALID -j DROP"
-      ipt "-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
-      ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j LOG --log-prefix \"SPOOFED PKT \""
-      ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j DROP"
-    end
+  module Iptables
   end
 end
+
+require_relative 'iptables/root'
+require_relative 'iptables/tor'
+require_relative 'iptables/default'

data/lib/spior/iptables/default.rb

@@ -0,0 +1,38 @@
+module Spior
+  module Iptables
+    class Default < Iptables::Root
+      private
+      
+      def input
+        # SSH
+        ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        # Allow loopback, rules
+        ipt "-A INPUT -i #{@lo} -j ACCEPT"
+        # Accept related
+        ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      end
+
+      def output
+        ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
+        ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
+
+        # Allow SSH
+        ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+
+        # Allow Loopback
+        ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
+
+        # Default
+        ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
+      end
+      
+      def all
+        ipt "-t filter -A OUTPUT -p udp -j ACCEPT"
+        ipt "-t filter -A OUTPUT -p icmp -j REJECT"
+        ipt "-P INPUT ACCEPT"
+        ipt "-P FORWARD ACCEPT"
+        ipt "-P OUTPUT ACCEPT"
+      end
+    end
+  end
+end

data/lib/spior/iptables/root.rb

@@ -0,0 +1,92 @@
+require 'interfacez'
+
+module Spior
+  module Iptables
+    class Root
+      def initialize
+        @lo      = Interfacez.loopback
+        @lo_addr = Interfacez.ipv4_address_of(@lo)
+        @i = Helpers::Exec.new("iptables")
+        Spior::Copy.new.save
+      end
+
+      def run!
+        bogus_tcp_flags
+        bad_packets
+        spoofing
+        redirect
+        input
+        output
+        all
+      end
+
+      def restart!
+        stop!
+        run!
+      end
+
+      def stop!
+        ipt "-F"
+        ipt "-X"
+        ipt "-t nat -F"
+        ipt "-t nat -X"
+        ipt "-t mangle -F"
+        ipt "-t mangle -X"
+      end
+
+      private
+
+      def ipt(line)
+        @i.run("#{line}")
+        puts "added - #{@i} #{line}"
+      end
+
+      def redirect
+      end
+
+      def input
+      end
+
+      def output
+      end
+
+      def all
+      end
+
+      def bogus_tcp_flags
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
+      end
+
+      def bad_packets
+        # new packet not syn
+        ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
+        # fragment  packet
+        ipt "-A INPUT -f -j DROP"
+        # XMAS
+        ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
+        # null packet
+        ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
+      end
+
+      def spoofing
+        subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
+        subs.each do |sub|
+          ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
+        end
+        ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
+      end
+    end
+  end
+end

data/lib/spior/iptables/tor.rb

@@ -0,0 +1,64 @@
+module Spior
+  module Iptables
+    class Tor < Iptables::Root
+      def initialize
+        super
+        @tor     = Spior::Tor::Info.new
+        @non_tor = ["#{@lo_addr}/8", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+        @tables  = ["nat", "filter"]
+      end
+
+      private
+      
+      def redirect
+        @tables.each { |table|
+          target = "ACCEPT"
+          target = "RETURN" if table == "nat"
+
+          ipt "-t #{table} -F OUTPUT"
+          ipt "-t #{table} -A OUTPUT -m state --state ESTABLISHED -j #{target}"
+          ipt "-t #{table} -A OUTPUT -m owner --uid #{@tor.uid} -j #{target}"
+
+          match_dns_port = @tor.dns
+          if table == "nat"
+            target = "REDIRECT --to-ports #{@tor.dns}"
+            match_dns_port = "53"
+          end
+
+          ipt "-t #{table} -A OUTPUT -p udp --dport #{match_dns_port} -j #{target}"
+          ipt "-t #{table} -A OUTPUT -p tcp --dport #{match_dns_port} -j #{target}"
+
+          target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
+          ipt "-t #{table} -A OUTPUT -d #{@tor.virt_addr} -p tcp -j #{target}"
+
+          target = "RETURN" if table == "nat"
+          @non_tor.each { |ip|
+            ipt "-t #{table} -A OUTPUT -d #{ip} -j #{target}"
+          }
+
+          target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
+          ipt "-t #{table} -A OUTPUT -p tcp -j #{target}"
+        }
+      end
+
+      def input
+        # SSH
+        ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        # Allow loopback
+        ipt "-A INPUT -i #{@lo} -j ACCEPT"
+        # Allow DNS lookups from connected clients and internet access through tor.
+        ipt "-A INPUT -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
+        # Accept related
+        ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      end
+
+      def all
+        ipt "-t filter -A OUTPUT -p udp -j REJECT"
+        ipt "-t filter -A OUTPUT -p icmp -j REJECT"
+        ipt "-P INPUT DROP"
+        ipt "-P FORWARD DROP"
+        ipt "-P OUTPUT DROP"
+      end
+    end
+  end
+end