spior 0.1.0 → 0.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGELOG.md +32 -0
- data/README.md +11 -8
- data/Rakefile +20 -0
- data/bin/spior +2 -3
- data/{conf → ext}/ipt_mod.conf +0 -0
- data/{conf → ext}/iptables.service +0 -0
- data/lib/spior.rb +42 -0
- data/lib/spior/clear.rb +14 -18
- data/lib/spior/copy.rb +57 -75
- data/lib/spior/helpers.rb +118 -0
- data/lib/spior/install.rb +21 -78
- data/lib/spior/iptables.rb +5 -192
- data/lib/spior/iptables/default.rb +38 -0
- data/lib/spior/iptables/root.rb +92 -0
- data/lib/spior/iptables/tor.rb +64 -0
- data/lib/spior/menu.rb +43 -0
- data/lib/spior/msg.rb +12 -5
- data/lib/spior/network.rb +0 -1
- data/lib/spior/options.rb +13 -19
- data/lib/spior/persist.rb +33 -21
- data/lib/spior/status.rb +30 -12
- data/lib/spior/tor.rb +4 -38
- data/lib/spior/tor/info.rb +113 -0
- data/lib/spior/{reload.rb → tor/restart.rb} +4 -4
- data/lib/spior/version.rb +3 -0
- data/spior.gemspec +19 -13
- metadata +21 -20
- metadata.gz.sig +0 -0
- data/conf/resolv.conf +0 -1
- data/conf/ssh.conf +0 -29
- data/conf/sshd.conf +0 -46
- data/conf/sshuttle.service +0 -11
- data/conf/torrc/torrc_archlinux +0 -18
- data/conf/torrc/torrc_default +0 -20
- data/lib/spior/mac.rb +0 -11
- data/lib/spior/runner.rb +0 -48
data/lib/spior/install.rb
CHANGED
@@ -1,90 +1,33 @@
|
|
1
1
|
require 'nomansland'
|
2
2
|
require 'tty-which'
|
3
|
-
require_relative 'msg'
|
4
3
|
|
5
4
|
module Spior
|
6
5
|
class Install
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
mac_update
|
11
|
-
end
|
12
|
-
|
13
|
-
def self.check_base
|
14
|
-
base_packages
|
15
|
-
verify_services
|
16
|
-
end
|
17
|
-
|
18
|
-
def self.check_mac
|
19
|
-
pkg_mac
|
20
|
-
end
|
21
|
-
|
22
|
-
private
|
23
|
-
|
24
|
-
def self.base_packages
|
25
|
-
if not TTY::Which.exist?('iptables') or not TTY::Which.exist?('tor')
|
26
|
-
case Nomansland::installer?
|
27
|
-
when :emerge
|
28
|
-
system('sudo emerge -av --changed-use tor iptables')
|
29
|
-
when :pacman
|
30
|
-
system('sudo pacman -S --needed tor iptables')
|
31
|
-
when :yum
|
32
|
-
system('sudo yum install tor iptables')
|
33
|
-
else
|
34
|
-
system('sudo apt-get install tor iptables')
|
35
|
-
end
|
36
|
-
end
|
37
|
-
end
|
38
|
-
|
39
|
-
def self.verify_services
|
40
|
-
if TTY::Which.exist?('systemctl')
|
41
|
-
system('if ! systemctl is-active tor ; then sudo systemctl start tor ; fi')
|
42
|
-
end
|
43
|
-
end
|
44
|
-
|
45
|
-
def self.pkg_mac
|
46
|
-
pkg_name="deceitmac"
|
47
|
-
if not TTY::Which.exist?(pkg_name)
|
48
|
-
build_pkg(pkg_name)
|
6
|
+
class << self
|
7
|
+
def check_deps
|
8
|
+
base_packages
|
49
9
|
end
|
50
|
-
end
|
51
|
-
|
52
|
-
def self.mac_update
|
53
|
-
pkg_name="deceitmac"
|
54
|
-
if TTY::Which.exist?(pkg_name)
|
55
|
-
print "Target #{pkg_name} exist, update? [N/y] "
|
56
|
-
choice = gets.chomp
|
57
|
-
if choice =~ /y|Y/ then
|
58
|
-
puts "Update #{pkg_name}..."
|
59
|
-
build_pkg(pkg_name)
|
60
|
-
end
|
61
|
-
else
|
62
|
-
puts "Install #{pkg_name}..."
|
63
|
-
build_pkg(pkg_name)
|
64
|
-
end
|
65
|
-
end
|
66
10
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
11
|
+
private
|
12
|
+
|
13
|
+
def base_packages
|
14
|
+
if not TTY::Which.exist?('iptables') or not TTY::Which.exist?('tor')
|
15
|
+
case Nomansland::installer?
|
16
|
+
when :emerge
|
17
|
+
emerge = Helpers::Exec.new("emerge -av --changed-use")
|
18
|
+
emerge.run("tor iptables")
|
19
|
+
when :pacman
|
20
|
+
pacman = Helpers::Exec.new("pacman -S --needed")
|
21
|
+
pacman.run("tor iptables")
|
22
|
+
when :yum
|
23
|
+
yum = Helpers::Exec.new("yum install")
|
24
|
+
yum.run("tor iptables")
|
25
|
+
else
|
26
|
+
apt_get = Helpers::Exec.new("apt-get install")
|
27
|
+
apt_get.run("tor iptables iptables-persistent")
|
28
|
+
end
|
82
29
|
end
|
83
30
|
end
|
84
|
-
Msg.p "pkg #{name} installed"
|
85
|
-
Dir.chdir(old_path)
|
86
|
-
rescue => e
|
87
|
-
Msg.err e
|
88
31
|
end
|
89
32
|
end
|
90
33
|
end
|
data/lib/spior/iptables.rb
CHANGED
@@ -1,195 +1,8 @@
|
|
1
|
-
require 'interfacez'
|
2
|
-
require_relative 'tor'
|
3
|
-
require_relative 'msg'
|
4
|
-
|
5
1
|
module Spior
|
6
|
-
|
7
|
-
|
8
|
-
def self.tor(interface = false)
|
9
|
-
initialize(interface)
|
10
|
-
select_cmd
|
11
|
-
flush_rules
|
12
|
-
bogus_tcp_flags
|
13
|
-
bad_packets
|
14
|
-
spoofing
|
15
|
-
icmp
|
16
|
-
dns
|
17
|
-
nat
|
18
|
-
input
|
19
|
-
forward
|
20
|
-
output
|
21
|
-
drop_all
|
22
|
-
end
|
23
|
-
|
24
|
-
def self.flush_rules
|
25
|
-
select_cmd
|
26
|
-
ipt "-F"
|
27
|
-
ipt "-X"
|
28
|
-
ipt "-t nat -F"
|
29
|
-
ipt "-t nat -X"
|
30
|
-
ipt "-t mangle -F"
|
31
|
-
ipt "-t mangle -X"
|
32
|
-
end
|
33
|
-
|
34
|
-
private
|
35
|
-
|
36
|
-
def self.initialize(interface)
|
37
|
-
@lo = Interfacez.loopback
|
38
|
-
@lo_addr = Interfacez.ipv4_address_of(@lo)
|
39
|
-
@tor = Spior::Tor.new
|
40
|
-
@non_tor = ["#{@lo_addr}/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
41
|
-
@incoming = interface
|
42
|
-
@incoming_addr = Interfacez.ipv4_address_of(@incoming)
|
43
|
-
end
|
44
|
-
|
45
|
-
def self.check_dep
|
46
|
-
Spior::Copy::config_files
|
47
|
-
end
|
48
|
-
|
49
|
-
def self.select_cmd
|
50
|
-
id=`id -u`
|
51
|
-
if id == 0 then
|
52
|
-
@i = "iptables"
|
53
|
-
else
|
54
|
-
@i = "sudo iptables"
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
|
-
def self.ipt(line)
|
59
|
-
system("#{@i} #{line}")
|
60
|
-
#puts "added - #{@i} #{line}"
|
61
|
-
end
|
62
|
-
|
63
|
-
def self.drop_all
|
64
|
-
ipt "-P INPUT DROP"
|
65
|
-
ipt "-P FORWARD DROP"
|
66
|
-
ipt "-P OUTPUT DROP"
|
67
|
-
end
|
68
|
-
|
69
|
-
def self.bogus_tcp_flags
|
70
|
-
puts "bogus"
|
71
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
|
72
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
|
73
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
|
74
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
|
75
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
|
76
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
|
77
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
|
78
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
|
79
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
|
80
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
|
81
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
|
82
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
|
83
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
|
84
|
-
end
|
85
|
-
|
86
|
-
def self.bad_packets
|
87
|
-
puts "bad_packets"
|
88
|
-
# new packet not syn
|
89
|
-
ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
|
90
|
-
# fragment packet
|
91
|
-
ipt "-A INPUT -f -j DROP"
|
92
|
-
# XMAS
|
93
|
-
ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
|
94
|
-
# null packet
|
95
|
-
ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
|
96
|
-
end
|
97
|
-
|
98
|
-
def self.spoofing
|
99
|
-
subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
|
100
|
-
subs.each do |sub|
|
101
|
-
ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
|
102
|
-
end
|
103
|
-
ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
|
104
|
-
end
|
105
|
-
|
106
|
-
def self.icmp
|
107
|
-
puts "icmp"
|
108
|
-
ipt "-N port-scanning"
|
109
|
-
ipt "-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN"
|
110
|
-
ipt "-A port-scanning -j DROP"
|
111
|
-
|
112
|
-
ipt "-N syn_flood"
|
113
|
-
ipt "-A INPUT -p tcp --syn -j syn_flood"
|
114
|
-
ipt "-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN"
|
115
|
-
ipt "-A syn_flood -j DROP"
|
116
|
-
|
117
|
-
ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT"
|
118
|
-
ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:"
|
119
|
-
ipt "-A INPUT -p icmp -j DROP"
|
120
|
-
ipt "-A OUTPUT -p icmp -j ACCEPT"
|
121
|
-
end
|
122
|
-
|
123
|
-
def self.dns
|
124
|
-
puts "dns"
|
125
|
-
ipt "-t nat -A PREROUTING ! -i #{@lo} -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
126
|
-
ipt "-t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
127
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
128
|
-
end
|
129
|
-
|
130
|
-
def self.nat
|
131
|
-
puts "nat"
|
132
|
-
# nat .onion addresses
|
133
|
-
ipt "-t nat -A OUTPUT -d #{@tor.virt_addr} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
134
|
-
|
135
|
-
# Don't nat the Tor process, the loopback, or the local network
|
136
|
-
ipt "-t nat -A OUTPUT -m owner --uid-owner #{@tor.uid} -j RETURN"
|
137
|
-
ipt "-t nat -A OUTPUT -o #{@lo} -j RETURN"
|
138
|
-
|
139
|
-
# Allow lan access for hosts in $non_tor
|
140
|
-
@non_tor.each do |lan|
|
141
|
-
ipt "-t nat -A OUTPUT -d #{lan} -j RETURN"
|
142
|
-
end
|
143
|
-
|
144
|
-
# Redirects all other pre-routing and output to Tor's TransPort
|
145
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
146
|
-
|
147
|
-
# Redirects all other pre-routing and output to Tor's TransPort
|
148
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
149
|
-
end
|
150
|
-
|
151
|
-
def self.input
|
152
|
-
puts "input"
|
153
|
-
ipt "-A INPUT -i #{@incoming} -p tcp -s #{@incoming_addr} --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
154
|
-
|
155
|
-
# Allow loopback, rules
|
156
|
-
ipt "-A INPUT -m state --state ESTABLISHED -j ACCEPT"
|
157
|
-
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
158
|
-
|
159
|
-
# Allow DNS lookups from connected clients and internet access through tor.
|
160
|
-
ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
|
161
|
-
ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
|
162
|
-
|
163
|
-
# Default
|
164
|
-
ipt "-A INPUT -j DROP"
|
165
|
-
end
|
166
|
-
|
167
|
-
def self.output
|
168
|
-
puts "output"
|
169
|
-
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
|
170
|
-
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
|
171
|
-
ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
|
172
|
-
|
173
|
-
# output
|
174
|
-
ipt "-A OUTPUT -m owner --uid-owner #{@tor.uid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT"
|
175
|
-
|
176
|
-
# Accept, allow loopback output
|
177
|
-
ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
178
|
-
ipt "-A OUTPUT -d #{@lo_addr}/32 -o #{@lo} -j ACCEPT"
|
179
|
-
|
180
|
-
# tor transparent magic
|
181
|
-
ipt "-A OUTPUT -d #{@lo_addr}/32 -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
|
182
|
-
|
183
|
-
ipt "-A OUTPUT -j DROP"
|
184
|
-
end
|
185
|
-
|
186
|
-
def self.forward
|
187
|
-
puts "forward"
|
188
|
-
ipt "-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
|
189
|
-
ipt "-A FORWARD -m conntrack --ctstate INVALID -j DROP"
|
190
|
-
ipt "-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
191
|
-
ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j LOG --log-prefix \"SPOOFED PKT \""
|
192
|
-
ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j DROP"
|
193
|
-
end
|
2
|
+
module Iptables
|
194
3
|
end
|
195
4
|
end
|
5
|
+
|
6
|
+
require_relative 'iptables/root'
|
7
|
+
require_relative 'iptables/tor'
|
8
|
+
require_relative 'iptables/default'
|
@@ -0,0 +1,38 @@
|
|
1
|
+
module Spior
|
2
|
+
module Iptables
|
3
|
+
class Default < Iptables::Root
|
4
|
+
private
|
5
|
+
|
6
|
+
def input
|
7
|
+
# SSH
|
8
|
+
ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
9
|
+
# Allow loopback, rules
|
10
|
+
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
11
|
+
# Accept related
|
12
|
+
ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
13
|
+
end
|
14
|
+
|
15
|
+
def output
|
16
|
+
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
|
17
|
+
ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
|
18
|
+
|
19
|
+
# Allow SSH
|
20
|
+
ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
21
|
+
|
22
|
+
# Allow Loopback
|
23
|
+
ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
|
24
|
+
|
25
|
+
# Default
|
26
|
+
ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
|
27
|
+
end
|
28
|
+
|
29
|
+
def all
|
30
|
+
ipt "-t filter -A OUTPUT -p udp -j ACCEPT"
|
31
|
+
ipt "-t filter -A OUTPUT -p icmp -j REJECT"
|
32
|
+
ipt "-P INPUT ACCEPT"
|
33
|
+
ipt "-P FORWARD ACCEPT"
|
34
|
+
ipt "-P OUTPUT ACCEPT"
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
require 'interfacez'
|
2
|
+
|
3
|
+
module Spior
|
4
|
+
module Iptables
|
5
|
+
class Root
|
6
|
+
def initialize
|
7
|
+
@lo = Interfacez.loopback
|
8
|
+
@lo_addr = Interfacez.ipv4_address_of(@lo)
|
9
|
+
@i = Helpers::Exec.new("iptables")
|
10
|
+
Spior::Copy.new.save
|
11
|
+
end
|
12
|
+
|
13
|
+
def run!
|
14
|
+
bogus_tcp_flags
|
15
|
+
bad_packets
|
16
|
+
spoofing
|
17
|
+
redirect
|
18
|
+
input
|
19
|
+
output
|
20
|
+
all
|
21
|
+
end
|
22
|
+
|
23
|
+
def restart!
|
24
|
+
stop!
|
25
|
+
run!
|
26
|
+
end
|
27
|
+
|
28
|
+
def stop!
|
29
|
+
ipt "-F"
|
30
|
+
ipt "-X"
|
31
|
+
ipt "-t nat -F"
|
32
|
+
ipt "-t nat -X"
|
33
|
+
ipt "-t mangle -F"
|
34
|
+
ipt "-t mangle -X"
|
35
|
+
end
|
36
|
+
|
37
|
+
private
|
38
|
+
|
39
|
+
def ipt(line)
|
40
|
+
@i.run("#{line}")
|
41
|
+
puts "added - #{@i} #{line}"
|
42
|
+
end
|
43
|
+
|
44
|
+
def redirect
|
45
|
+
end
|
46
|
+
|
47
|
+
def input
|
48
|
+
end
|
49
|
+
|
50
|
+
def output
|
51
|
+
end
|
52
|
+
|
53
|
+
def all
|
54
|
+
end
|
55
|
+
|
56
|
+
def bogus_tcp_flags
|
57
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
|
58
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
|
59
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
|
60
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
|
61
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
|
62
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
|
63
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
|
64
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
|
65
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
|
66
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
|
67
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
|
68
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
|
69
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
|
70
|
+
end
|
71
|
+
|
72
|
+
def bad_packets
|
73
|
+
# new packet not syn
|
74
|
+
ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
|
75
|
+
# fragment packet
|
76
|
+
ipt "-A INPUT -f -j DROP"
|
77
|
+
# XMAS
|
78
|
+
ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
|
79
|
+
# null packet
|
80
|
+
ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
|
81
|
+
end
|
82
|
+
|
83
|
+
def spoofing
|
84
|
+
subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
|
85
|
+
subs.each do |sub|
|
86
|
+
ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
|
87
|
+
end
|
88
|
+
ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
@@ -0,0 +1,64 @@
|
|
1
|
+
module Spior
|
2
|
+
module Iptables
|
3
|
+
class Tor < Iptables::Root
|
4
|
+
def initialize
|
5
|
+
super
|
6
|
+
@tor = Spior::Tor::Info.new
|
7
|
+
@non_tor = ["#{@lo_addr}/8", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
|
8
|
+
@tables = ["nat", "filter"]
|
9
|
+
end
|
10
|
+
|
11
|
+
private
|
12
|
+
|
13
|
+
def redirect
|
14
|
+
@tables.each { |table|
|
15
|
+
target = "ACCEPT"
|
16
|
+
target = "RETURN" if table == "nat"
|
17
|
+
|
18
|
+
ipt "-t #{table} -F OUTPUT"
|
19
|
+
ipt "-t #{table} -A OUTPUT -m state --state ESTABLISHED -j #{target}"
|
20
|
+
ipt "-t #{table} -A OUTPUT -m owner --uid #{@tor.uid} -j #{target}"
|
21
|
+
|
22
|
+
match_dns_port = @tor.dns
|
23
|
+
if table == "nat"
|
24
|
+
target = "REDIRECT --to-ports #{@tor.dns}"
|
25
|
+
match_dns_port = "53"
|
26
|
+
end
|
27
|
+
|
28
|
+
ipt "-t #{table} -A OUTPUT -p udp --dport #{match_dns_port} -j #{target}"
|
29
|
+
ipt "-t #{table} -A OUTPUT -p tcp --dport #{match_dns_port} -j #{target}"
|
30
|
+
|
31
|
+
target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
|
32
|
+
ipt "-t #{table} -A OUTPUT -d #{@tor.virt_addr} -p tcp -j #{target}"
|
33
|
+
|
34
|
+
target = "RETURN" if table == "nat"
|
35
|
+
@non_tor.each { |ip|
|
36
|
+
ipt "-t #{table} -A OUTPUT -d #{ip} -j #{target}"
|
37
|
+
}
|
38
|
+
|
39
|
+
target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
|
40
|
+
ipt "-t #{table} -A OUTPUT -p tcp -j #{target}"
|
41
|
+
}
|
42
|
+
end
|
43
|
+
|
44
|
+
def input
|
45
|
+
# SSH
|
46
|
+
ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
47
|
+
# Allow loopback
|
48
|
+
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
49
|
+
# Allow DNS lookups from connected clients and internet access through tor.
|
50
|
+
ipt "-A INPUT -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
|
51
|
+
# Accept related
|
52
|
+
ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
53
|
+
end
|
54
|
+
|
55
|
+
def all
|
56
|
+
ipt "-t filter -A OUTPUT -p udp -j REJECT"
|
57
|
+
ipt "-t filter -A OUTPUT -p icmp -j REJECT"
|
58
|
+
ipt "-P INPUT DROP"
|
59
|
+
ipt "-P FORWARD DROP"
|
60
|
+
ipt "-P OUTPUT DROP"
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|