spior 0.1.2 → 0.1.6

data/lib/spior/iptables/tor.rb

@@ -0,0 +1,59 @@
+module Spior
+  module Iptables
+    class Tor < Iptables::Root
+      def initialize
+        super
+        @tor     = Spior::Tor::Info.new
+        @non_tor = ["#{@lo_addr}/8", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+        @tables  = ["nat", "filter"]
+      end
+
+      private
+
+      def redirect
+        @tables.each { |table|
+          target = "ACCEPT"
+          target = "RETURN" if table == "nat"
+
+          ipt "-t #{table} -F OUTPUT"
+          ipt "-t #{table} -A OUTPUT -m state --state ESTABLISHED -j #{target}"
+          ipt "-t #{table} -A OUTPUT -m owner --uid #{@tor.uid} -j #{target}"
+
+          match_dns_port = @tor.dns
+          if table == "nat"
+            target = "REDIRECT --to-ports #{@tor.dns}"
+            match_dns_port = "53"
+          end
+
+          ipt "-t #{table} -A OUTPUT -p udp --dport #{match_dns_port} -j #{target}"
+          ipt "-t #{table} -A OUTPUT -p tcp --dport #{match_dns_port} -j #{target}"
+
+          target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
+          ipt "-t #{table} -A OUTPUT -d #{@tor.virt_addr} -p tcp -j #{target}"
+
+          target = "RETURN" if table == "nat"
+          @non_tor.each { |ip|
+            ipt "-t #{table} -A OUTPUT -d #{ip} -j #{target}"
+          }
+
+          target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
+          ipt "-t #{table} -A OUTPUT -p tcp -j #{target}"
+        }
+      end
+
+      def input
+        # SSH
+        ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        # Allow loopback
+        ipt "-A INPUT -i #{@lo} -j ACCEPT"
+        # Accept related
+        ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      end
+
+      def all
+        ipt "-t filter -A OUTPUT -p udp -j REJECT"
+        ipt "-t filter -A OUTPUT -p icmp -j REJECT"
+      end
+    end
+  end
+end

data/lib/spior/iptables.rb

@@ -1,186 +1,8 @@
-require 'interfacez'
-require_relative 'tor'
-require_relative 'msg'
-require_relative 'helpers'
-
 module Spior
-  class Iptables
-
-    def self.tor(interface = false)
-      initialize(interface)
-      flush_rules
-      bogus_tcp_flags
-      bad_packets
-      spoofing
-      icmp
-      dns
-      nat
-      input
-      forward
-      output
-      drop_all
-    end
-
-    def self.flush_rules
-      @i = Helpers::Exec.new("iptables")
-      ipt "-F"
-      ipt "-X"
-      ipt "-t nat -F"
-      ipt "-t nat -X"
-      ipt "-t mangle -F"
-      ipt "-t mangle -X"
-    end
-
-    private
-
-    def self.initialize(interface)
-      @lo = Interfacez.loopback
-      @lo_addr = Interfacez.ipv4_address_of(@lo)
-      @tor = Spior::Tor.new
-      @non_tor = ["#{@lo_addr}/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-      @incoming = interface
-      @incoming_addr = Interfacez.ipv4_address_of(@incoming)
-    end
-
-    def self.check_dep
-      Spior::Copy::config_files
-    end
-
-    def self.ipt(line)
-      @i.run("#{line}")
-      #puts "added - #{@i} #{line}"
-    end
-
-    def self.drop_all
-      ipt "-P INPUT DROP"
-      ipt "-P FORWARD DROP"
-      ipt "-P OUTPUT DROP"
-    end
-
-    def self.bogus_tcp_flags
-      puts "bogus"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
-    end
-
-    def self.bad_packets
-      puts "bad_packets"
-      # new packet not syn
-      ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
-      # fragment  packet
-      ipt "-A INPUT -f -j DROP"
-      # XMAS
-      ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
-      # null packet
-      ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
-    end
-
-    def self.spoofing
-      subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
-      subs.each do |sub|
-        ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
-      end
-      ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
-    end
-
-    def self.icmp
-      puts "icmp"
-      ipt "-N port-scanning"
-      ipt "-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN"
-      ipt "-A port-scanning -j DROP"
-
-      ipt "-N syn_flood"
-      ipt "-A INPUT -p tcp --syn -j syn_flood"
-      ipt "-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN"
-      ipt "-A syn_flood -j DROP"
-
-      ipt "-A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT"
-      ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:"
-      ipt "-A INPUT -p icmp -j DROP"
-      ipt "-A OUTPUT -p icmp -j ACCEPT"
-    end
-
-    def self.dns
-      puts "dns"
-      ipt "-t nat -A PREROUTING ! -i #{@lo} -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-      ipt "-t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-    end
-
-    def self.nat
-      puts "nat"
-      # nat .onion addresses
-      ipt "-t nat -A OUTPUT -d #{@tor.virt_addr} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-              
-      # Don't nat the Tor process, the loopback, or the local network
-      ipt "-t nat -A OUTPUT -m owner --uid-owner #{@tor.uid} -j RETURN"
-      ipt "-t nat -A OUTPUT -o #{@lo} -j RETURN"
-              
-      # Allow lan access for hosts in $non_tor
-      @non_tor.each do |lan|
-        ipt "-t nat -A OUTPUT -d #{lan} -j RETURN"
-      end
-
-      # Redirects all other pre-routing and output to Tor's TransPort
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-
-      # Redirects all other pre-routing and output to Tor's TransPort
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-    end
-
-    def self.input
-      puts "input"
-      ipt "-A INPUT -i #{@incoming} -p tcp -s #{@incoming_addr} --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
-
-      # Allow loopback, rules
-      ipt "-A INPUT -m state --state ESTABLISHED -j ACCEPT"
-      ipt "-A INPUT -i #{@lo} -j ACCEPT"
-      
-      # Allow DNS lookups from connected clients and internet access through tor.
-      ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
-      ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
-      
-      # Default
-      ipt "-A INPUT -j DROP"
-    end
-
-    def self.output
-      puts "output"
-      ipt "-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
-      ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
-      ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
-
-      # output
-      ipt "-A OUTPUT -m owner --uid-owner #{@tor.uid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT"
-
-      # Accept, allow loopback output
-      ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
-      ipt "-A OUTPUT -d #{@lo_addr}/32 -o #{@lo} -j ACCEPT"
-
-      # tor transparent magic
-      ipt "-A OUTPUT -d #{@lo_addr}/32 -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
-
-      ipt "-A OUTPUT -j DROP"
-    end
-
-    def self.forward
-      puts "forward"
-      ipt "-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
-      ipt "-A FORWARD -m conntrack --ctstate INVALID -j DROP"
-      ipt "-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
-      ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j LOG --log-prefix \"SPOOFED PKT \""
-      ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j DROP"
-    end
+  module Iptables
   end
 end
+
+require_relative 'iptables/root'
+require_relative 'iptables/tor'
+require_relative 'iptables/default'

data/lib/spior/menu.rb

@@ -1,11 +1,3 @@
-require_relative 'msg'
-require_relative 'mac'
-require_relative 'iptables'
-require_relative 'network'
-require_relative 'reload'
-require_relative 'clear'
-require_relative 'status'
-
 module Spior
   module Menu
     extend self
@@ -16,30 +8,25 @@ module Spior
         Msg.head
         puts %q{Please select an option:
 
-  1. Forge a new MAC address
-  2. Redirect traffic through tor
-  3. Reload tor and change your ip
-  4. Clear and restore your files
-  5. Check info on your current ip
-  6. Quit}
+  1. Redirect traffic through tor
+  2. Reload tor and change your ip
+  3. Clear and restore your files
+  4. Check info on your current ip
+  5. Quit}
 
         puts
         print ">> "
         case gets.chomp
-          when '1'
-            check_network
-            Spior::MAC::randomize(@network.card)
-          when '2'
-            check_network
-            Spior::Iptables::tor(@network.card)
-          when '3'
-            Spior::Reload::tor
-          when '4'
-            Spior::Clear::all
-          when '5'
-            Spior::Status::info
-          when '6'
-            exit
+        when '1'
+          Spior::Iptables::Tor.new.run!
+        when '2'
+          Spior::Serice.restart
+        when '3'
+          Spior::Clear.all
+        when '4'
+          Spior::Status.info
+        when '5'
+          exit
         end
       end
     end
@@ -52,11 +39,5 @@ module Spior
       puts "┗━┛╹  ╹┗━┛╹┗╸"
       # generated with toilet -F crop -f future spior
     end
-
-    def check_network
-      if not @network
-        @network = Spior::Network.new
-      end
-    end
   end
 end

data/lib/spior/msg.rb

@@ -1,30 +1,28 @@
 require 'rainbow'
 
 module Msg
-  def self.head
+  extend self
+
+  def head
     puts Rainbow("------------------------------------------------").cyan
   end
 
-  def self.p(text)
+  def p(text)
     puts Rainbow("[").cyan + Rainbow("+").white + Rainbow("]").cyan + " " + text
   end
 
-  def self.err(text)
+  def err(text)
     puts Rainbow("[").red + Rainbow("-").white + Rainbow("]").red + " " + text
   end
 
-  def self.info(text)
+  def info(text)
     puts Rainbow("-").blue + Rainbow("-").white + Rainbow("-").blue + " " + text + " " + Rainbow("-").blue + Rainbow("-").white + Rainbow("-").blue
   end
 
-  def self.report(text)
+  def report(text)
     puts ""
     info text
     puts "Please, report this issue at https://github.com/szorfein/spior/issues"
     puts ""
   end
-
-  def self.for_no_systemd
-    puts "Init system is not yet supported. You can contribute to add it."
-  end
 end

data/lib/spior/options.rb

@@ -1,16 +1,11 @@
 require 'optparse'
-require_relative 'reload'
-require_relative 'status'
-require_relative 'clear'
-require_relative 'menu'
 
 module Spior
   class Options
-    attr_reader :install , :mac , :interface , :tor , :persist
+    attr_reader :install , :tor , :persist
 
     def initialize(argv)
       @install = false
-      @mac = false
       @tor = false
       @persist = false
       parse(argv)
@@ -20,32 +15,26 @@ module Spior
 
     def parse(argv)
       OptionParser.new do |opts|
-        opts.on("-i", "--install", "Install and update dependencies") do
+        opts.on("-i", "--install", "Install the dependencies") do
           @install = true
         end
 
-        opts.on("-n", "--net-card NAME", "The name of the target network card") do |net|
-          @interface = net
-        end
-
-        opts.on("-m", "--mac", "Change your mac") do
-          @mac = true
-        end
-
         opts.on("-t", "--tor", "Redirect traffic through TOR") do
           @tor = true
         end
 
         opts.on("-r", "--reload", "Reload TOR to change your ip") do
-          Spior::Reload::tor
+          Spior::Service.restart
+          exit
         end
 
-        opts.on("-c", "--clear", "Clear iptables rules and restore files") do
-          Spior::Clear::all
+        opts.on("-c", "--clearnet", "Reset iptables and return to clearnet navigation") do
+          Spior::Clear.all
         end
 
         opts.on("-s", "--status", "Look infos about your current ip") do
-          Spior::Status::info
+          Spior::Status.info
+          exit
         end
 
         opts.on("-p", "--persist", "Active Spior at every boot.") do
@@ -53,7 +42,7 @@ module Spior
         end
 
         opts.on("-m", "--menu", "Display an interactive menu") do
-          Spior::Menu::run
+          Spior::Menu.run
         end
 
         opts.on("-h", "--help", "Show this message") do

data/lib/spior/persist.rb

@@ -1,46 +1,50 @@
 require 'nomansland'
 require 'tty-which'
-require_relative 'copy'
-require_relative 'msg'
-require_relative 'helpers'
 
 module Spior
   module Persist
     extend self
 
-    def all(card_name)
-      @card_name = card_name
-      @services=[ "tor", "iptables", "deceitmac@" + @card_name ]
-      search_for_systemd
+    def enable
+      case Nomansland::distro?
+      when :gentoo
+        for_gentoo
+      else
+        Msg.p "Your distro is not yet supported."
+      end
     end
 
     private
 
-    def search_for_systemd
-      return if !TTY::Which.exist?('systemctl') 
-      @systemctl = Helpers::Exec.new("systemctl")
-      @iptables_save = Helpers::Exec.new("iptables-save")
-      Spior::Copy::systemd_services
-      @services.each do |service|
-        Msg.p "Search for service #{service}..."
-        `systemctl is-enabled #{service}`
-        if not $?.success? then
-          @systemctl.run("enable #{service}")
-        end
+    def for_gentoo
+      if TTY::Which.exist?('systemctl')
+        systemd_start("iptables-store")
+        systemd_enable("iptables-restore")
+        systemd_enable("tor")
+      else
+        system("sudo /etc/init.d/iptables save")
+        rc_upd = Helpers::Exec.new("rc-update")
+        rc_upd.run("rc-update add iptables boot")
+        rc_upd.run("rc-update add tor")
+        rc_upd.run("rc-update add tor default")
       end
-      iptables_systemd
     end
 
-    def iptables_systemd
-      case Nomansland::installer?
-      when :pacman
-        @iptables_save.run("-f /etc/iptables/iptables.rules")
-      when :emerge
-        @systemctl.run("start iptables-store")
-      when :apt_get
-        @iptables_save.run("> /etc/iptables/rules.v4")
-      else
-        Msg.report "Fail for save iptables-rule, your system is not yet supported"
+    def systemd_enable(service)
+      systemctl = Helpers::Exec.new("systemctl")
+      Msg.p "Search for service #{service}..."
+      `systemctl is-enabled #{service}`
+      if not $?.success? then
+        systemctl.run("enable #{service}")
+      end
+    end
+
+    def systemd_start(service)
+      systemctl = Helpers::Exec.new("systemctl")
+      Msg.p "Search for service #{service}..."
+      `systemctl is-active #{service}`
+      if not $?.success? then
+        systemctl.run("start #{service}")
       end
     end
   end

data/lib/spior/service/restart.rb

@@ -0,0 +1,21 @@
+require 'tty-which'
+
+module Spior
+  module Service
+    module_function
+
+    def restart
+      if TTY::Which.exist?('systemctl')
+        Helpers::Exec.new("systemctl").run("restart tor")
+        Msg.p "ip changed."
+      elsif TTY::Which.exist? 'sv'
+        Helpers::Exec.new('sv').run('restart tor')
+        Msg.p 'ip changed.'
+      elsif File.exist? '/etc/init.d/tor'
+        Helpers::Exec.new('/etc/init.d/tor').run('restart')
+      else
+        Msg.report "Don't known yet how to restart Tor for your system."
+      end
+    end
+  end
+end

data/lib/spior/service/start.rb

@@ -0,0 +1,26 @@
+require 'tty-which'
+
+module Spior
+  module Service
+    module_function
+
+    def start
+      if TTY::Which.exist?('systemctl')
+        state = `systemctl is-active tor`.chomp
+        unless state == 'active'
+          Helpers::Exec.new("systemctl").run("start tor")
+          Msg.p "TOR started."
+        end
+      elsif TTY::Which.exist? 'sv'
+        unless File.exist? '/var/service/tor'
+          Helpers::Exec.new('ln').run('-s /etc/sv/tor /var/service/tor')
+          Msg.p "TOR started."
+        end
+      elsif File.exist? '/etc/init.d/tor'
+        Helpers::Exec.new('/etc/init.d/tor').run('start')
+      else
+        Msg.report "Don't known yet how to start Tor for your system."
+      end
+    end
+  end
+end

data/lib/spior/service.rb

@@ -0,0 +1,7 @@
+module Spior
+  module Service
+  end
+end
+
+require_relative 'service/start'
+require_relative 'service/restart'

data/lib/spior/status.rb

@@ -1,20 +1,38 @@
-#!/usr/bin/env ruby
-
 require 'open-uri'
+require 'json'
 
 module Spior
-  class Status
+  module Status
+    def self.enable
+      begin
+        status = "Disable"
+        api_check = "https://check.torproject.org/api/ip"
+        URI.open(api_check) do |l|
+          hash = JSON.parse l.read
+          status = "Enable" if hash["IsTor"] == true
+        end
+        status
+      rescue OpenURI::HTTPError => error
+        res = error.io
+        puts "Fail to join server #{res.status}"
+      end
+    end
 
-    # TODO: if someone want help, i have trouble to make JSON.parse() work here
-    # the output is very very ugly !
     def self.info
-      uri = URI.parse("https://ipleak.net/json")
-      uri.open {|f|
-        f.each_line {|line|
-          p line.chomp.delete("/\",{}")
-        }
-      }
+      begin
+        api_check = "https://ipleak.net/json"
+        URI.open(api_check) do |l|
+          hash = JSON.parse l.read
+          puts
+          puts " Current ip  ===>  #{hash["ip"]}"
+          puts " Continent   ===>  #{hash["continent_name"]}"
+          puts " Timezone    ===>  #{hash["time_zone"]}"
+        end
+        puts " Status      ===>  #{enable}"
+      rescue OpenURI::HTTPError => error
+        res = error.io
+        puts "Fail to join server #{res.status}"
+      end
     end
-
   end
 end