spior 0.1.4 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 105d4a29ed0eb407f8116daa49be26a8d8714d999efb531e02676f02c6ed50f3
-  data.tar.gz: 0cfdf8f3a6f857e6d7a1541b103ade1316048c4554ab03076d5d287a2b1ffa1c
+  metadata.gz: 52ad58e21c256642931525e2625cb10e14a74ad17ea95825940b87f6d667fdac
+  data.tar.gz: 143940314f5a3e3387f094cdeb6c371a0e34a2227b803f9cb0eaeebc8ebb512d
 SHA512:
-  metadata.gz: 37258c344e84aa8508a87d6a5b41dc821d54038a9cc163b1976e924301238b5b4debf03c2fba0e0a8015b6d17abedaf4313bdc3beb459eb7add6199f16eb8abe
-  data.tar.gz: fe90d4935a4c36efdfb16553153c67a0a956560edb5515ac8efd412a8319a4f897203027aa55883338a32c3add6be19aa5f96e81bfd1d455e6e71357d4e337ab
+  metadata.gz: eadbf46e6b47eb820fbd88fd3d71c31183ca49a611ac0c6e0576724abc6357d6409fbf2edc9f69d38441889f262102af47f6fecadc2fe82bcbeea856d0557dc1
+  data.tar.gz: f774d5a4bec3474eccaf71e8495fc813cf71681fe609e7f7d1b6bf8e386d46c525bb138b4538f23cb4634706a578cbca96bac80fc85bb37c9700c99aff984ef1

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.1.5, release 2020-11-01
+* Simplify lib/spior/copy, lib/spior/clear
+* Write iptables rules for --clearnet and --tor
+* Refacto code
+* Enhance --status with open-uri and json
+* Remove argument --net-card
+
 ## 0.1.4, release 2020-05-21
 * torrc and resolv.conf are generate dynamically
 * Remove conf/resolv

data/README.md

@@ -17,16 +17,19 @@ And install the gem
 ### Examples
 Redirect traffic through TOR:
 
-    $ spior -t
-    $ spior -t -n eth0
+    $ spior --tor
 
 Change your ip address by reloading the TOR circuit:
 
-    $ spior -r
+    $ spior --reload
 
 Look informations about your current ip address:
 
-    $ spior -s
+    $ spior --status
+
+Return to clearnet navigation
+
+    $ spior --clearnet
 
 ## Left Over
 

data/Rakefile

@@ -1,5 +1,6 @@
 # https://github.com/seattlerb/minitest#running-your-tests-
 require "rake/testtask"
+require File.dirname(__FILE__) + "/lib/spior/version"
 
 Rake::TestTask.new(:test) do |t|
   t.libs << "test"
@@ -12,7 +13,7 @@ namespace :gem do
   task :build do
     Dir["spior*.gem"].each {|f| File.unlink(f) }
     system("gem build spior.gemspec")
-    system("gem install spior-0.1.4.gem -P MediumSecurity")
+    system("gem install spior-#{Spior::VERSION}.gem -P MediumSecurity")
   end
 end
 

data/bin/spior

@@ -1,6 +1,5 @@
 #!/usr/bin/env ruby
 
-require 'spior/runner'
+require 'spior'
 
-runner = Spior::Runner.new(ARGV)
-runner.run
+Spior::Main.new(ARGV)

data/lib/spior.rb

@@ -0,0 +1,42 @@
+require_relative 'spior/clear'
+require_relative 'spior/copy'
+require_relative 'spior/install'
+require_relative 'spior/iptables'
+require_relative 'spior/msg'
+require_relative 'spior/options'
+require_relative 'spior/status'
+require_relative 'spior/tor'
+require_relative 'spior/persist'
+require_relative 'spior/network'
+require_relative 'spior/menu'
+require_relative 'spior/helpers'
+
+module Spior
+  class Main
+    def initialize(argv)
+      @argv = argv
+      run
+    end
+
+    private
+
+    def run
+      options = Options.new(@argv)
+
+      if options.install
+        Msg.head
+        Install::check_deps
+        Copy.new.save
+      end
+
+      if options.tor
+        Msg.head
+        Iptables::Tor.new.run!
+      end
+
+      if options.persist
+        Persist.enable
+      end
+    end
+  end
+end

data/lib/spior/clear.rb

@@ -1,8 +1,5 @@
 require 'tty-which'
 require 'nomansland'
-require_relative 'copy'
-require_relative 'msg'
-require_relative 'helpers'
 
 module Spior
   module Clear
@@ -10,32 +7,30 @@ module Spior
 
     def all
       iptables
-      rez_configs
+      Spior::Copy.new.restore
     end
 
     private
 
     def iptables
       puts "Clearing rules.."
-      Spior::Iptables::flush_rules
-      if File.exist?("/var/lib/iptables/rules-save")
-        ipt_restore "/var/lib/iptables/rules-save"
-      elsif File.exist?("/etc/iptables/rules.save")
-        ipt_restore "/etc/iptables/iptables.rules"
-      elsif File.exist?("/etc/iptables.rules")
-        ipt_restore "/etc/iptables.rules"
-      else
-        Msg.p "I couldn't find any old rules for iptables to restore, skipping..."
-      end
+      ipt = Spior::Iptables::Default.new
+      ipt.stop!
+      #if File.exist?("/var/lib/iptables/rules-save")
+      #  ipt_restore "/var/lib/iptables/rules-save"
+      #elsif File.exist?("/etc/iptables/rules.save")
+      #  ipt_restore "/etc/iptables/iptables.rules"
+      #elsif File.exist?("/etc/iptables.rules")
+      #  ipt_restore "/etc/iptables.rules"
+      #else
+        #Msg.p "Couldn't find any previous rules for iptables, create basic rules..."
+        ipt.run!
+      #end
     end
 
     def ipt_restore(path)
       puts "Restoring rules #{path}..."
       Helpers::Exec.new("iptables-restore").run("#{path}")
     end
-
-    def rez_configs
-      Spior::Copy::restore_files
-    end
   end
 end

data/lib/spior/copy.rb

@@ -1,120 +1,85 @@
-require 'nomansland'
-require 'date'
 require 'digest'
-require_relative 'msg'
-require_relative 'helpers'
 
 module Spior
   class Copy
-    class << self
-
-      def config_files
-        @cp = Helpers::Exec.new("cp -a")
-        search_conf_dir
-        copy_file(@conf_dir + "/ipt_mod.conf", "/etc/modules-load.d/ipt_mod.conf")
-      end
-
-      def backup(file, re = nil)
-        return if regex_match?(file, re)
-        @cp = Helpers::Exec.new("cp -a")
-        backup = file + "_backup"
-        if File.exist? backup
-          puts "File #{backup} exist with content:"
-          system("head -n 10 #{backup}")
-          print "...\nOverwrite this copy? (N/y) "
-          case gets.chomp
-          when /^y|^Y/
-            @cp.run("#{file} #{backup}")
-            Msg.p "Overwrite #{file}"
-          end
-        else
-          @cp.run("#{file} #{backup}")
-          Msg.p "#{file} saved"
-        end
-      end
+    def initialize
+      @cp = Helpers::Exec.new("cp -a")
+      @files = []
+      search_conf_dir
+      config_files
+      list
+    end
 
-      def search_conf_dir
-        # ebuild on gentoo copy the ext dir at lib/ext
-        @conf_dir = File.expand_path('../..' + '/lib/ext', __dir__)
-        if not Dir.exist?(@conf_dir)
-          @conf_dir = File.expand_path('../..' + '/ext', __dir__)
+    def save
+      @files.each { |f|
+        backup = "#{f}_backup"
+        if ! File.exist? backup
+          Msg.p "#{f} saved"
+          @cp.run("#{f} #{backup}")
         end
-      end
+      }
+    end
 
-      def restore(file)
-        @cp = Helpers::Exec.new("cp -a")
-        backup = file + "_backup"
+    def restore
+      @files.each { |f|
+        backup = "#{f}_backup"
         if File.exist? backup
-          @cp.run("#{backup} #{file}")
+          Msg.p "#{f} restored"
+          @cp.run("#{backup} #{f}")
         end
-      end
+      }
+    end
 
-      def restore_files
-        restore("/etc/tor/torrc")
-        restore("/etc/resolv.conf")
-      end
+    private
 
-      private
+    def config_files
+      copy_file("#{@conf_dir}/ipt_mod.conf", "/etc/modules-load.d/ipt_mod.conf")
+    end
 
-      def copy_file(conf, target)
-        @config_file = conf
-        return if check_hash(@config_file, target)
-        if File.exist? target then
-          if ! previous_copy target
-            backup_file(target)
-          end
-          add_file target
-        else
-          add_file target
-        end
-      end
+    def list
+      add "/etc/resolv.conf"
+      add "/etc/tor/torrc"
+      add "/etc/systemd/resolved.conf"
+      add "/var/lib/iptables/rules-save" # gentoo
+      add "/etc/iptables/iptables.rules" # arch
+      add "/etc/iptables/rules.v4" # debian
+    end
 
-      def previous_copy(target)
-        backup=`ls #{target}.backup-* | head -n 1`.chomp
-        return false if !File.exist?(backup)
-        check_hash(backup, target)
-      end
+    def add(file)
+      @files << file if File.exist? file
+    end
 
-      def check_hash(src, target)
-        return if not File.exist?(target)
-        sha256conf = Digest::SHA256.file src
-        sha256target = Digest::SHA256.file target
-        sha256conf === sha256target
+    def search_conf_dir
+      # ebuild on gentoo copy the ext dir at lib/ext
+      @conf_dir = File.expand_path('../..' + '/lib/ext', __dir__)
+      if ! Dir.exist?(@conf_dir)
+        @conf_dir = File.expand_path('../..' + '/ext', __dir__)
       end
+    end
 
-      def backup_file(target)
-        d = DateTime.now
-        backup = target + ".backup-" + d.strftime('%b-%d_%I-%M')
-        @cp.run("#{target} #{backup}")
-        puts "Renamed file #{backup}"
-      end
+    def previous_copy(target)
+      backup=`ls #{target}.backup-* | head -1`.chomp
+      return false if ! File.exist? backup
+      check_hash(backup, target)
+    end
 
-      def add_file(target)
-        @cp.run("#{@config_file} #{target}")
-        Msg.p "File #{@config_file} has been successfully copied at #{target}"
-      end
+    def add_file(target)
+      @cp.run("#{@config_file} #{target}")
+      Msg.p "File #{@config_file} has been successfully copied at #{target}"
+    end
 
-      def backup_exist(target)
-        backup=`ls #{target}.backup-* | head -n 1`.chomp
-        if File.exist? backup
-          if ! check_hash(target, backup)
-            @cp.run("#{backup} #{target}")
-            Msg.p "Restored #{backup}"
-          end
-        else
-          puts "No found previous backup for #{target}"
-        end
-      end
+    def copy_file(conf, target)
+      @config_file = conf
+      add_file target if ! File.exist? target
+      return if check_hash(@config_file, target)
+      add_file target
+    end
 
-      def regex_match?(infile, re = nil)
-        return unless re
-        File.open(infile, 'r') do |file|
-          file.each do |line|
-            return true if line =~ re
-          end
-        end
-        false
-      end
+    def check_hash(src, target)
+      return if not File.exist?(target)
+      sha256conf = Digest::SHA256.file src
+      sha256target = Digest::SHA256.file target
+      sha256conf === sha256target
     end
   end
 end

data/lib/spior/helpers.rb

@@ -1,5 +1,6 @@
 require 'fileutils'
 require 'tempfile'
+require 'open3'
 
 module Helpers
   class Exec
@@ -9,12 +10,16 @@ module Helpers
     end
 
     def run(args)
-      if @search_uid == '0' then
-        #puts "found root - uid #{@search_uid}"
-        system(@name + " " + args)
-      else
-        #puts "no root - call sudo - uid #{@search_uid}"
-        system("sudo " + @name + " " + args)
+      cmd = @search_uid == '0' ? @name : "sudo #{@name}"
+      Open3.popen2e("#{cmd} #{args}") do |stdin, stdout_err, wait_thr|
+        while line = stdout_err.gets
+          puts line
+        end
+
+        exit_status = wait_thr.value
+        unless exit_status.success?
+          raise "Error, Running #{cmd} #{args}"
+        end
       end
     end
   end
@@ -47,6 +52,7 @@ module Helpers
       File.open(tmp.path, 'w') do |file|
         file.puts @string
       end
+      puts "move #{tmp.path} to #{@dest}"
       @mv.run("#{tmp.path} #{@dest}")
     end
 
@@ -79,7 +85,7 @@ module Helpers
     # === Parameters:
     # * _string_ = the string of for whole content file
     # * _name_ = the name of the service (e.g: tor.service)
-    def initialise(string, name)
+    def initialize(string, name)
       super
       @systemd_dir = search_systemd_dir
       @dest = @systemd_dir + "/" + @name

data/lib/spior/install.rb

@@ -1,12 +1,9 @@
 require 'nomansland'
 require 'tty-which'
-require_relative 'msg'
-require_relative 'helpers'
 
 module Spior
   class Install
     class << self
-
       def check_deps
         base_packages
       end

data/lib/spior/iptables.rb

@@ -1,186 +1,8 @@
-require 'interfacez'
-require_relative 'tor'
-require_relative 'msg'
-require_relative 'helpers'
-
 module Spior
-  class Iptables
-
-    def self.tor(interface = false)
-      initialize(interface)
-      flush_rules
-      bogus_tcp_flags
-      bad_packets
-      spoofing
-      icmp
-      dns
-      nat
-      input
-      forward
-      output
-      drop_all
-    end
-
-    def self.flush_rules
-      @i = Helpers::Exec.new("iptables")
-      ipt "-F"
-      ipt "-X"
-      ipt "-t nat -F"
-      ipt "-t nat -X"
-      ipt "-t mangle -F"
-      ipt "-t mangle -X"
-    end
-
-    private
-
-    def self.initialize(interface)
-      @lo = Interfacez.loopback
-      @lo_addr = Interfacez.ipv4_address_of(@lo)
-      @tor = Spior::Tor.new
-      @non_tor = ["#{@lo_addr}/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-      @incoming = interface
-      @incoming_addr = Interfacez.ipv4_address_of(@incoming)
-    end
-
-    def self.check_dep
-      Spior::Copy::config_files
-    end
-
-    def self.ipt(line)
-      @i.run("#{line}")
-      #puts "added - #{@i} #{line}"
-    end
-
-    def self.drop_all
-      ipt "-P INPUT DROP"
-      ipt "-P FORWARD DROP"
-      ipt "-P OUTPUT DROP"
-    end
-
-    def self.bogus_tcp_flags
-      puts "bogus"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
-      ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
-    end
-
-    def self.bad_packets
-      puts "bad_packets"
-      # new packet not syn
-      ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
-      # fragment  packet
-      ipt "-A INPUT -f -j DROP"
-      # XMAS
-      ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
-      # null packet
-      ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
-    end
-
-    def self.spoofing
-      subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
-      subs.each do |sub|
-        ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
-      end
-      ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
-    end
-
-    def self.icmp
-      puts "icmp"
-      ipt "-N port-scanning"
-      ipt "-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN"
-      ipt "-A port-scanning -j DROP"
-
-      ipt "-N syn_flood"
-      ipt "-A INPUT -p tcp --syn -j syn_flood"
-      ipt "-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN"
-      ipt "-A syn_flood -j DROP"
-
-      ipt "-A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT"
-      ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:"
-      ipt "-A INPUT -p icmp -j DROP"
-      ipt "-A OUTPUT -p icmp -j ACCEPT"
-    end
-
-    def self.dns
-      puts "dns"
-      ipt "-t nat -A PREROUTING ! -i #{@lo} -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-      ipt "-t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
-    end
-
-    def self.nat
-      puts "nat"
-      # nat .onion addresses
-      ipt "-t nat -A OUTPUT -d #{@tor.virt_addr} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-              
-      # Don't nat the Tor process, the loopback, or the local network
-      ipt "-t nat -A OUTPUT -m owner --uid-owner #{@tor.uid} -j RETURN"
-      ipt "-t nat -A OUTPUT -o #{@lo} -j RETURN"
-              
-      # Allow lan access for hosts in $non_tor
-      @non_tor.each do |lan|
-        ipt "-t nat -A OUTPUT -d #{lan} -j RETURN"
-      end
-
-      # Redirects all other pre-routing and output to Tor's TransPort
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-
-      # Redirects all other pre-routing and output to Tor's TransPort
-      ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
-    end
-
-    def self.input
-      puts "input"
-      ipt "-A INPUT -i #{@incoming} -p tcp -s #{@incoming_addr} --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
-
-      # Allow loopback, rules
-      ipt "-A INPUT -m state --state ESTABLISHED -j ACCEPT"
-      ipt "-A INPUT -i #{@lo} -j ACCEPT"
-      
-      # Allow DNS lookups from connected clients and internet access through tor.
-      ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
-      ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
-      
-      # Default
-      ipt "-A INPUT -j DROP"
-    end
-
-    def self.output
-      puts "output"
-      ipt "-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
-      ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
-      ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
-
-      # output
-      ipt "-A OUTPUT -m owner --uid-owner #{@tor.uid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT"
-
-      # Accept, allow loopback output
-      ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
-      ipt "-A OUTPUT -d #{@lo_addr}/32 -o #{@lo} -j ACCEPT"
-
-      # tor transparent magic
-      ipt "-A OUTPUT -d #{@lo_addr}/32 -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
-
-      ipt "-A OUTPUT -j DROP"
-    end
-
-    def self.forward
-      puts "forward"
-      ipt "-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
-      ipt "-A FORWARD -m conntrack --ctstate INVALID -j DROP"
-      ipt "-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
-      ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j LOG --log-prefix \"SPOOFED PKT \""
-      ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j DROP"
-    end
+  module Iptables
   end
 end
+
+require_relative 'iptables/root'
+require_relative 'iptables/tor'
+require_relative 'iptables/default'