spior 0.1.2 → 0.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/CHANGELOG.md +27 -0
- data/README.md +24 -15
- data/Rakefile +20 -0
- data/bin/spior +2 -3
- data/{conf → ext}/ipt_mod.conf +0 -0
- data/{conf → ext}/iptables.service +0 -0
- data/lib/spior/clear.rb +13 -19
- data/lib/spior/copy.rb +54 -77
- data/lib/spior/dep.rb +37 -0
- data/lib/spior/helpers.rb +106 -7
- data/lib/spior/iptables/default.rb +38 -0
- data/lib/spior/iptables/root.rb +88 -0
- data/lib/spior/iptables/tor.rb +59 -0
- data/lib/spior/iptables.rb +5 -183
- data/lib/spior/menu.rb +15 -34
- data/lib/spior/msg.rb +7 -9
- data/lib/spior/options.rb +9 -20
- data/lib/spior/persist.rb +33 -29
- data/lib/spior/service/restart.rb +21 -0
- data/lib/spior/service/start.rb +26 -0
- data/lib/spior/service.rb +7 -0
- data/lib/spior/status.rb +30 -12
- data/lib/spior/tor/info.rb +96 -0
- data/lib/spior/tor.rb +3 -65
- data/lib/spior/version.rb +3 -0
- data/lib/spior.rb +44 -0
- data/man/spior.1 +53 -0
- data/man/spior.1.html +122 -0
- data/man/spior.1.ronn +46 -0
- data/spior.gemspec +7 -5
- data.tar.gz.sig +2 -1
- metadata +39 -36
- metadata.gz.sig +0 -0
- data/conf/resolv.conf +0 -1
- data/conf/ssh.conf +0 -29
- data/conf/sshd.conf +0 -46
- data/conf/sshuttle.service +0 -11
- data/conf/torrc/torrc_archlinux +0 -18
- data/conf/torrc/torrc_default +0 -20
- data/lib/spior/install.rb +0 -88
- data/lib/spior/mac.rb +0 -11
- data/lib/spior/network.rb +0 -46
- data/lib/spior/reload.rb +0 -14
- data/lib/spior/runner.rb +0 -46
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fc3cc3a5fd8b8a7ace72820d60d145efa04795f86a3381e3156178d4d4cfd09c
|
4
|
+
data.tar.gz: 8de21a9ee54c6dc50f3aad1e1a828dd92173c7a5b31571498af19d75b6fd20bf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: acb66a1dd30e69c73f7ac79dbca7263fee90bd8bd6a8a1ace9dc7b35365a4996ce29aebde3d0652d1039f56ddcff259c29b739b8f3421bb9701b33a3d7b97c71
|
7
|
+
data.tar.gz: 284146408ef4dd90edf60e74f98488d0f5bf1ea92fdfff72edd30c219c26600c5e7934e71c7b54fc07bf7cf11a0e8b06ab31515d1314cc23ca570c029da551d3
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,30 @@
|
|
1
|
+
## 0.1.6, release 2021-12-30
|
2
|
+
* Make it work for Voidlinux.
|
3
|
+
* Add a man page.
|
4
|
+
* Support init script (but not yet very well).
|
5
|
+
* Stop changing /etc/resolv.conf.
|
6
|
+
* Dependencies are checked before start anything. Spior exit(1) if fail.
|
7
|
+
|
8
|
+
## 0.1.5, release 2020-11-01
|
9
|
+
* Simplify lib/spior/copy, lib/spior/clear
|
10
|
+
* Write iptables rules for --clearnet and --tor
|
11
|
+
* Refacto code
|
12
|
+
* Enhance --status with open-uri and json
|
13
|
+
* Remove argument --net-card
|
14
|
+
|
15
|
+
## 0.1.4, release 2020-05-21
|
16
|
+
* torrc and resolv.conf are generate dynamically
|
17
|
+
* Remove conf/resolv
|
18
|
+
* Correct path of conf_dir for the install on gentoo
|
19
|
+
* Remove self from lib/copy
|
20
|
+
* Correct little error on lib/copy with undefined method `deps`
|
21
|
+
|
22
|
+
## 0.1.3, release 2020-05-14
|
23
|
+
* Rename conf dir by ext
|
24
|
+
* Clearing all codes about MAC
|
25
|
+
* Remove deceitmac
|
26
|
+
* Mac change and other randomize features will go on another gem amnesie
|
27
|
+
|
1
28
|
## 0.1.2, release 2020-05-13
|
2
29
|
* Add instructions for the persistent mode
|
3
30
|
* Add dependency iptables-persistant for distro based on debian
|
data/README.md
CHANGED
@@ -1,39 +1,48 @@
|
|
1
|
-
#
|
2
|
-
|
1
|
+
# Spior
|
2
|
+
|
3
|
+
<div align="center">
|
4
|
+
<br/>
|
5
|
+
|
6
|
+
[![Gem Version](https://badge.fury.io/rb/spior.svg)](https://badge.fury.io/rb/spior)
|
7
|
+
![GitHub](https://img.shields.io/github/license/szorfein/spior)
|
8
|
+
|
9
|
+
</div>
|
10
|
+
|
11
|
+
(Spider|Tor) A tool to make TOR your default gateway.
|
3
12
|
|
4
13
|
## Install
|
5
14
|
Spior is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.
|
6
15
|
|
7
16
|
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/spior/master/certs/szorfein.pem)
|
8
17
|
|
9
|
-
And install the gem
|
18
|
+
And install the gem:
|
10
19
|
|
11
20
|
$ gem install spior -P MediumSecurity
|
12
21
|
|
13
|
-
|
14
|
-
+ For gentoo, a package is available on my repo [ninjatools](https://github.com/szorfein/ninjatools/tree/master/dev-ruby/spior).
|
15
|
-
+ Arch seem to use [Quarry](https://wiki.archlinux.org/index.php/Ruby#Quarry).
|
16
|
-
+ On distro based on debian, gem are installed system-wide.
|
22
|
+
Or user wide (Spior will use `sudo`)
|
17
23
|
|
18
|
-
|
24
|
+
$ gem install --user-install spior
|
19
25
|
|
20
26
|
## Usage
|
21
27
|
|
22
28
|
$ spior -h
|
23
29
|
|
24
30
|
### Examples
|
25
|
-
|
31
|
+
Redirect traffic through TOR:
|
32
|
+
|
33
|
+
$ spior --tor
|
34
|
+
|
35
|
+
Change your ip address by reloading the TOR circuit:
|
26
36
|
|
27
|
-
$ spior
|
37
|
+
$ spior --reload
|
28
38
|
|
29
|
-
|
39
|
+
Look informations about your current ip address:
|
30
40
|
|
31
|
-
$ spior
|
32
|
-
$ spior -t -n eth0
|
41
|
+
$ spior --status
|
33
42
|
|
34
|
-
|
43
|
+
Return to clearnet navigation
|
35
44
|
|
36
|
-
$ spior
|
45
|
+
$ spior --clearnet
|
37
46
|
|
38
47
|
## Left Over
|
39
48
|
|
data/Rakefile
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
# https://github.com/seattlerb/minitest#running-your-tests-
|
2
|
+
require "rake/testtask"
|
3
|
+
require File.dirname(__FILE__) + "/lib/spior/version"
|
4
|
+
|
5
|
+
Rake::TestTask.new(:test) do |t|
|
6
|
+
t.libs << "test"
|
7
|
+
t.libs << "lib"
|
8
|
+
t.test_files = FileList["test/test_*.rb"]
|
9
|
+
end
|
10
|
+
|
11
|
+
namespace :gem do
|
12
|
+
desc "build the gem"
|
13
|
+
task :build do
|
14
|
+
Dir["spior*.gem"].each {|f| File.unlink(f) }
|
15
|
+
system("gem build spior.gemspec")
|
16
|
+
system("gem install --user-install spior-#{Spior::VERSION}.gem -P MediumSecurity")
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
task :default => :test
|
data/bin/spior
CHANGED
data/{conf → ext}/ipt_mod.conf
RENAMED
File without changes
|
File without changes
|
data/lib/spior/clear.rb
CHANGED
@@ -1,8 +1,4 @@
|
|
1
|
-
require 'tty-which'
|
2
1
|
require 'nomansland'
|
3
|
-
require_relative 'copy'
|
4
|
-
require_relative 'msg'
|
5
|
-
require_relative 'helpers'
|
6
2
|
|
7
3
|
module Spior
|
8
4
|
module Clear
|
@@ -10,32 +6,30 @@ module Spior
|
|
10
6
|
|
11
7
|
def all
|
12
8
|
iptables
|
13
|
-
|
9
|
+
Spior::Copy.new.restore
|
14
10
|
end
|
15
11
|
|
16
12
|
private
|
17
13
|
|
18
14
|
def iptables
|
19
15
|
puts "Clearing rules.."
|
20
|
-
Spior::Iptables::
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
16
|
+
ipt = Spior::Iptables::Default.new
|
17
|
+
ipt.stop!
|
18
|
+
#if File.exist?("/var/lib/iptables/rules-save")
|
19
|
+
# ipt_restore "/var/lib/iptables/rules-save"
|
20
|
+
#elsif File.exist?("/etc/iptables/rules.save")
|
21
|
+
# ipt_restore "/etc/iptables/iptables.rules"
|
22
|
+
#elsif File.exist?("/etc/iptables.rules")
|
23
|
+
# ipt_restore "/etc/iptables.rules"
|
24
|
+
#else
|
25
|
+
#Msg.p "Couldn't find any previous rules for iptables, create basic rules..."
|
26
|
+
ipt.run!
|
27
|
+
#end
|
30
28
|
end
|
31
29
|
|
32
30
|
def ipt_restore(path)
|
33
31
|
puts "Restoring rules #{path}..."
|
34
32
|
Helpers::Exec.new("iptables-restore").run("#{path}")
|
35
33
|
end
|
36
|
-
|
37
|
-
def rez_configs
|
38
|
-
Spior::Copy::restore_files
|
39
|
-
end
|
40
34
|
end
|
41
35
|
end
|
data/lib/spior/copy.rb
CHANGED
@@ -1,107 +1,84 @@
|
|
1
|
-
require 'nomansland'
|
2
|
-
require 'date'
|
3
1
|
require 'digest'
|
4
|
-
require_relative 'msg'
|
5
|
-
require_relative 'helpers'
|
6
2
|
|
7
3
|
module Spior
|
8
4
|
class Copy
|
9
|
-
|
10
|
-
def self.config_files
|
11
|
-
@cp = Helpers::Exec.new("cp -a")
|
12
|
-
@conf_dir = File.expand_path('../..' + '/conf', __dir__)
|
13
|
-
copy_torrc
|
14
|
-
copy_file(@conf_dir + "/resolv.conf", "/etc/resolv.conf")
|
15
|
-
copy_file(@conf_dir + "/ipt_mod.conf", "/etc/modules-load.d/ipt_mod.conf")
|
16
|
-
end
|
17
|
-
|
18
|
-
def self.restore_files
|
5
|
+
def initialize
|
19
6
|
@cp = Helpers::Exec.new("cp -a")
|
20
|
-
|
21
|
-
|
7
|
+
@files = []
|
8
|
+
search_conf_dir
|
9
|
+
config_files
|
10
|
+
list
|
22
11
|
end
|
23
12
|
|
24
|
-
def
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
end
|
13
|
+
def save
|
14
|
+
@files.each { |f|
|
15
|
+
backup = "#{f}_backup"
|
16
|
+
if ! File.exist? backup
|
17
|
+
Msg.p "#{f} saved"
|
18
|
+
@cp.run("#{f} #{backup}")
|
19
|
+
end
|
20
|
+
}
|
33
21
|
end
|
34
22
|
|
35
|
-
def
|
36
|
-
@
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
23
|
+
def restore
|
24
|
+
@files.each { |f|
|
25
|
+
backup = "#{f}_backup"
|
26
|
+
if File.exist? backup
|
27
|
+
Msg.p "#{f} restored"
|
28
|
+
@cp.run("#{backup} #{f}")
|
29
|
+
end
|
30
|
+
}
|
43
31
|
end
|
44
32
|
|
45
33
|
private
|
46
34
|
|
47
|
-
def
|
48
|
-
@
|
49
|
-
return if check_hash(@config_file, target)
|
50
|
-
if File.exist? target then
|
51
|
-
if ! previous_copy target
|
52
|
-
backup_file(target)
|
53
|
-
end
|
54
|
-
add_file target
|
55
|
-
else
|
56
|
-
add_file target
|
57
|
-
end
|
35
|
+
def config_files
|
36
|
+
copy_file("#{@conf_dir}/ipt_mod.conf", "/etc/modules-load.d/ipt_mod.conf")
|
58
37
|
end
|
59
38
|
|
60
|
-
def
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
Msg.report "If tor fail to start with the default torrc"
|
67
|
-
end
|
39
|
+
def list
|
40
|
+
add "/etc/tor/torrc"
|
41
|
+
add "/etc/systemd/resolved.conf"
|
42
|
+
add "/var/lib/iptables/rules-save" # gentoo
|
43
|
+
add "/etc/iptables/iptables.rules" # arch
|
44
|
+
add "/etc/iptables/rules.v4" # debian
|
68
45
|
end
|
69
46
|
|
70
|
-
def
|
71
|
-
|
72
|
-
return false if !File.exist?(backup)
|
73
|
-
check_hash(backup, target)
|
47
|
+
def add(file)
|
48
|
+
@files << file if File.exist? file
|
74
49
|
end
|
75
50
|
|
76
|
-
def
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
51
|
+
def search_conf_dir
|
52
|
+
# ebuild on gentoo copy the ext dir at lib/ext
|
53
|
+
@conf_dir = File.expand_path('../..' + '/lib/ext', __dir__)
|
54
|
+
if ! Dir.exist?(@conf_dir)
|
55
|
+
@conf_dir = File.expand_path('../..' + '/ext', __dir__)
|
56
|
+
end
|
81
57
|
end
|
82
58
|
|
83
|
-
def
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
puts "Renamed file #{backup}"
|
59
|
+
def previous_copy(target)
|
60
|
+
backup=`ls #{target}.backup-* | head -1`.chomp
|
61
|
+
return false if ! File.exist? backup
|
62
|
+
check_hash(backup, target)
|
88
63
|
end
|
89
64
|
|
90
|
-
def
|
65
|
+
def add_file(target)
|
91
66
|
@cp.run("#{@config_file} #{target}")
|
92
67
|
Msg.p "File #{@config_file} has been successfully copied at #{target}"
|
93
68
|
end
|
94
69
|
|
95
|
-
def
|
96
|
-
|
97
|
-
if File.exist?
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
70
|
+
def copy_file(conf, target)
|
71
|
+
@config_file = conf
|
72
|
+
add_file target if ! File.exist? target
|
73
|
+
return if check_hash(@config_file, target)
|
74
|
+
add_file target
|
75
|
+
end
|
76
|
+
|
77
|
+
def check_hash(src, target)
|
78
|
+
return if not File.exist?(target)
|
79
|
+
sha256conf = Digest::SHA256.file src
|
80
|
+
sha256target = Digest::SHA256.file target
|
81
|
+
sha256conf === sha256target
|
105
82
|
end
|
106
83
|
end
|
107
84
|
end
|
data/lib/spior/dep.rb
ADDED
@@ -0,0 +1,37 @@
|
|
1
|
+
require 'nomansland'
|
2
|
+
require 'tty-which'
|
3
|
+
|
4
|
+
module Spior
|
5
|
+
module Dep
|
6
|
+
def self.check
|
7
|
+
deps = [ 'iptables', 'tor' ]
|
8
|
+
is_ok = true
|
9
|
+
Msg.p 'Searching dependencies...'
|
10
|
+
deps.each {|dep|
|
11
|
+
unless TTY::Which.exist? dep
|
12
|
+
Msg.err "-> #{dep} is lacked."
|
13
|
+
is_ok = false
|
14
|
+
end
|
15
|
+
}
|
16
|
+
exit 1 unless is_ok
|
17
|
+
end
|
18
|
+
|
19
|
+
def self.install
|
20
|
+
case Nomansland::installer?
|
21
|
+
when :emerge
|
22
|
+
Helpers::Exec.new('emerge -av').run('tor iptables')
|
23
|
+
when :pacman
|
24
|
+
Helpers::Exec.new('pacman -S').run('tor iptables')
|
25
|
+
when :yum
|
26
|
+
Helpers::Exec.new('yum install').run('tor iptables')
|
27
|
+
when :void
|
28
|
+
Helpers::Exec.new('xbps-install -y').run('tor iptables runit-iptables')
|
29
|
+
when :debian
|
30
|
+
Helpers::Exec.new('apt-get install').run('tor iptables iptables-persistent')
|
31
|
+
else
|
32
|
+
Msg.report 'Your system is not yet supported.'
|
33
|
+
end
|
34
|
+
exit 0
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
data/lib/spior/helpers.rb
CHANGED
@@ -1,18 +1,117 @@
|
|
1
|
+
require 'fileutils'
|
2
|
+
require 'tempfile'
|
3
|
+
require 'open3'
|
4
|
+
|
1
5
|
module Helpers
|
2
6
|
class Exec
|
3
7
|
def initialize(name)
|
4
|
-
@search_uid
|
5
|
-
@search_uid ||= 1000 unless $?.success?
|
8
|
+
@search_uid = Process::Sys.getuid
|
6
9
|
@name = name
|
7
10
|
end
|
8
11
|
|
9
12
|
def run(args)
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
+
cmd = @search_uid == '0' ? @name : "sudo #{@name}"
|
14
|
+
Open3.popen2e("#{cmd} #{args}") do |stdin, stdout_err, wait_thr|
|
15
|
+
while line = stdout_err.gets
|
16
|
+
puts line
|
17
|
+
end
|
18
|
+
|
19
|
+
exit_status = wait_thr.value
|
20
|
+
unless exit_status.success?
|
21
|
+
raise "Error, Running #{cmd} #{args}"
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
# Class Newfile
|
28
|
+
# Create a file and move at the dest
|
29
|
+
# === Example
|
30
|
+
# string = "nameserver 127.0.0.1"
|
31
|
+
# name = "resolv.conf"
|
32
|
+
# dest = "/etc"
|
33
|
+
# new_file = Helpers::Newfile.new(string, name, dest)
|
34
|
+
# new_file.add
|
35
|
+
class NewFile
|
36
|
+
# Method #new
|
37
|
+
# === Parameters
|
38
|
+
# * _string_ = string for the whole file
|
39
|
+
# * _name_ = name of the file (e.g: resolv.conf)
|
40
|
+
# * _dest_ = path (e.g: /etc)
|
41
|
+
def initialize(string, name, dest = "/tmp")
|
42
|
+
@string = string
|
43
|
+
@name = name
|
44
|
+
@dest = dest + "/" + @name
|
45
|
+
end
|
46
|
+
|
47
|
+
# Method #add
|
48
|
+
# Add the file at @dest
|
49
|
+
def add
|
50
|
+
@mv = Helpers::Exec.new("mv")
|
51
|
+
tmp = Tempfile.new(@name)
|
52
|
+
File.open(tmp.path, 'w') do |file|
|
53
|
+
file.puts @string
|
54
|
+
end
|
55
|
+
puts "move #{tmp.path} to #{@dest}"
|
56
|
+
@mv.run("#{tmp.path} #{@dest}")
|
57
|
+
end
|
58
|
+
|
59
|
+
def perm(user, perm)
|
60
|
+
chown = Helpers::Exec.new("chown")
|
61
|
+
chmod = Helpers::Exec.new("chmod")
|
62
|
+
chown.run("#{user}:#{user} #{@dest}")
|
63
|
+
chmod.run("#{perm} #{@dest}")
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
# Class NewSystemd
|
68
|
+
# Used to create a systemd service
|
69
|
+
#
|
70
|
+
# === Example:
|
71
|
+
# require Helpers
|
72
|
+
# string = <<EOF
|
73
|
+
# [Description]
|
74
|
+
#
|
75
|
+
# [Service]
|
76
|
+
# Type=simple
|
77
|
+
#
|
78
|
+
# [Installation]
|
79
|
+
# WantedBy =
|
80
|
+
# EOF
|
81
|
+
# new_systemd = Helpers::NewSystemd.new(string, "tor.service")
|
82
|
+
# new_systemd.add
|
83
|
+
class NewSystemd < NewFile
|
84
|
+
# Method #new
|
85
|
+
# === Parameters:
|
86
|
+
# * _string_ = the string of for whole content file
|
87
|
+
# * _name_ = the name of the service (e.g: tor.service)
|
88
|
+
def initialize(string, name)
|
89
|
+
super
|
90
|
+
@systemd_dir = search_systemd_dir
|
91
|
+
@dest = @systemd_dir + "/" + @name
|
92
|
+
end
|
93
|
+
|
94
|
+
# Method #add
|
95
|
+
# Create a temporary file and move
|
96
|
+
# the service @name to the systemd directory
|
97
|
+
def add
|
98
|
+
@systemctl = Helpers::Exec.new("systemctl")
|
99
|
+
super
|
100
|
+
@systemctl.run("daemon-reload")
|
101
|
+
end
|
102
|
+
|
103
|
+
private
|
104
|
+
# Method search_systemd_dir
|
105
|
+
# Search the current directory for systemd services
|
106
|
+
# + Gentoo can install at /lib/systemd/system or /usr/lib/systemd/system
|
107
|
+
def search_systemd_dir
|
108
|
+
if Dir.exist? "/lib/systemd/system"
|
109
|
+
"/lib/systemd/system"
|
110
|
+
elsif Dir.exist? "/usr/lib/systemd/system"
|
111
|
+
"/usr/lib/systemd/system"
|
13
112
|
else
|
14
|
-
|
15
|
-
|
113
|
+
raise "No directory systemd found"
|
114
|
+
exit
|
16
115
|
end
|
17
116
|
end
|
18
117
|
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
module Spior
|
2
|
+
module Iptables
|
3
|
+
class Default < Iptables::Root
|
4
|
+
private
|
5
|
+
|
6
|
+
def input
|
7
|
+
# SSH
|
8
|
+
ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
9
|
+
# Allow loopback, rules
|
10
|
+
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
11
|
+
# Accept related
|
12
|
+
ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
13
|
+
end
|
14
|
+
|
15
|
+
def output
|
16
|
+
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
|
17
|
+
ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
|
18
|
+
|
19
|
+
# Allow SSH
|
20
|
+
ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
21
|
+
|
22
|
+
# Allow Loopback
|
23
|
+
ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
|
24
|
+
|
25
|
+
# Default
|
26
|
+
ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
|
27
|
+
end
|
28
|
+
|
29
|
+
def all
|
30
|
+
ipt "-t filter -A OUTPUT -p udp -j ACCEPT"
|
31
|
+
ipt "-t filter -A OUTPUT -p icmp -j REJECT"
|
32
|
+
ipt "-P INPUT ACCEPT"
|
33
|
+
ipt "-P FORWARD ACCEPT"
|
34
|
+
ipt "-P OUTPUT ACCEPT"
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,88 @@
|
|
1
|
+
require 'interfacez'
|
2
|
+
|
3
|
+
module Spior
|
4
|
+
module Iptables
|
5
|
+
class Root
|
6
|
+
def initialize
|
7
|
+
@lo = Interfacez.loopback
|
8
|
+
@lo_addr = Interfacez.ipv4_address_of(@lo)
|
9
|
+
@i = Helpers::Exec.new("iptables")
|
10
|
+
Spior::Copy.new.save
|
11
|
+
end
|
12
|
+
|
13
|
+
def run!
|
14
|
+
stop!
|
15
|
+
bogus_tcp_flags
|
16
|
+
bad_packets
|
17
|
+
spoofing
|
18
|
+
redirect
|
19
|
+
input
|
20
|
+
output
|
21
|
+
all
|
22
|
+
end
|
23
|
+
|
24
|
+
def stop!
|
25
|
+
ipt "-F"
|
26
|
+
ipt "-X"
|
27
|
+
ipt "-t nat -F"
|
28
|
+
ipt "-t nat -X"
|
29
|
+
ipt "-t mangle -F"
|
30
|
+
ipt "-t mangle -X"
|
31
|
+
end
|
32
|
+
|
33
|
+
private
|
34
|
+
|
35
|
+
def ipt(line)
|
36
|
+
@i.run("#{line}")
|
37
|
+
puts "added - #{@i} #{line}"
|
38
|
+
end
|
39
|
+
|
40
|
+
def redirect
|
41
|
+
end
|
42
|
+
|
43
|
+
def input
|
44
|
+
end
|
45
|
+
|
46
|
+
def output
|
47
|
+
end
|
48
|
+
|
49
|
+
def all
|
50
|
+
end
|
51
|
+
|
52
|
+
def bogus_tcp_flags
|
53
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
|
54
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
|
55
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
|
56
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
|
57
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
|
58
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
|
59
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
|
60
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
|
61
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
|
62
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
|
63
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
|
64
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
|
65
|
+
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
|
66
|
+
end
|
67
|
+
|
68
|
+
def bad_packets
|
69
|
+
# new packet not syn
|
70
|
+
ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
|
71
|
+
# fragment packet
|
72
|
+
ipt "-A INPUT -f -j DROP"
|
73
|
+
# XMAS
|
74
|
+
ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
|
75
|
+
# null packet
|
76
|
+
ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
|
77
|
+
end
|
78
|
+
|
79
|
+
def spoofing
|
80
|
+
subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
|
81
|
+
subs.each do |sub|
|
82
|
+
ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
|
83
|
+
end
|
84
|
+
ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
88
|
+
end
|