spior 0.1.4 → 0.1.5

data/lib/spior/iptables/default.rb

@@ -0,0 +1,38 @@
+module Spior
+  module Iptables
+    class Default < Iptables::Root
+      private
+      
+      def input
+        # SSH
+        ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        # Allow loopback, rules
+        ipt "-A INPUT -i #{@lo} -j ACCEPT"
+        # Accept related
+        ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      end
+
+      def output
+        ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
+        ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
+
+        # Allow SSH
+        ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+
+        # Allow Loopback
+        ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
+
+        # Default
+        ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
+      end
+      
+      def all
+        ipt "-t filter -A OUTPUT -p udp -j ACCEPT"
+        ipt "-t filter -A OUTPUT -p icmp -j REJECT"
+        ipt "-P INPUT ACCEPT"
+        ipt "-P FORWARD ACCEPT"
+        ipt "-P OUTPUT ACCEPT"
+      end
+    end
+  end
+end

data/lib/spior/iptables/root.rb

@@ -0,0 +1,92 @@
+require 'interfacez'
+
+module Spior
+  module Iptables
+    class Root
+      def initialize
+        @lo      = Interfacez.loopback
+        @lo_addr = Interfacez.ipv4_address_of(@lo)
+        @i = Helpers::Exec.new("iptables")
+        Spior::Copy.new.save
+      end
+
+      def run!
+        bogus_tcp_flags
+        bad_packets
+        spoofing
+        redirect
+        input
+        output
+        all
+      end
+
+      def restart!
+        stop!
+        run!
+      end
+
+      def stop!
+        ipt "-F"
+        ipt "-X"
+        ipt "-t nat -F"
+        ipt "-t nat -X"
+        ipt "-t mangle -F"
+        ipt "-t mangle -X"
+      end
+
+      private
+
+      def ipt(line)
+        @i.run("#{line}")
+        puts "added - #{@i} #{line}"
+      end
+
+      def redirect
+      end
+
+      def input
+      end
+
+      def output
+      end
+
+      def all
+      end
+
+      def bogus_tcp_flags
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
+        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
+      end
+
+      def bad_packets
+        # new packet not syn
+        ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
+        # fragment  packet
+        ipt "-A INPUT -f -j DROP"
+        # XMAS
+        ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
+        # null packet
+        ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
+      end
+
+      def spoofing
+        subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
+        subs.each do |sub|
+          ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
+        end
+        ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
+      end
+    end
+  end
+end

data/lib/spior/iptables/tor.rb

@@ -0,0 +1,64 @@
+module Spior
+  module Iptables
+    class Tor < Iptables::Root
+      def initialize
+        super
+        @tor     = Spior::Tor::Info.new
+        @non_tor = ["#{@lo_addr}/8", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+        @tables  = ["nat", "filter"]
+      end
+
+      private
+      
+      def redirect
+        @tables.each { |table|
+          target = "ACCEPT"
+          target = "RETURN" if table == "nat"
+
+          ipt "-t #{table} -F OUTPUT"
+          ipt "-t #{table} -A OUTPUT -m state --state ESTABLISHED -j #{target}"
+          ipt "-t #{table} -A OUTPUT -m owner --uid #{@tor.uid} -j #{target}"
+
+          match_dns_port = @tor.dns
+          if table == "nat"
+            target = "REDIRECT --to-ports #{@tor.dns}"
+            match_dns_port = "53"
+          end
+
+          ipt "-t #{table} -A OUTPUT -p udp --dport #{match_dns_port} -j #{target}"
+          ipt "-t #{table} -A OUTPUT -p tcp --dport #{match_dns_port} -j #{target}"
+
+          target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
+          ipt "-t #{table} -A OUTPUT -d #{@tor.virt_addr} -p tcp -j #{target}"
+
+          target = "RETURN" if table == "nat"
+          @non_tor.each { |ip|
+            ipt "-t #{table} -A OUTPUT -d #{ip} -j #{target}"
+          }
+
+          target = "REDIRECT --to-ports #{@tor.trans_port}" if table == "nat"
+          ipt "-t #{table} -A OUTPUT -p tcp -j #{target}"
+        }
+      end
+
+      def input
+        # SSH
+        ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        # Allow loopback
+        ipt "-A INPUT -i #{@lo} -j ACCEPT"
+        # Allow DNS lookups from connected clients and internet access through tor.
+        ipt "-A INPUT -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
+        # Accept related
+        ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+      end
+
+      def all
+        ipt "-t filter -A OUTPUT -p udp -j REJECT"
+        ipt "-t filter -A OUTPUT -p icmp -j REJECT"
+        ipt "-P INPUT DROP"
+        ipt "-P FORWARD DROP"
+        ipt "-P OUTPUT DROP"
+      end
+    end
+  end
+end

data/lib/spior/menu.rb

@@ -1,10 +1,3 @@
-require_relative 'msg'
-require_relative 'iptables'
-require_relative 'network'
-require_relative 'reload'
-require_relative 'clear'
-require_relative 'status'
-
 module Spior
   module Menu
     extend self
@@ -24,17 +17,16 @@ module Spior
         puts
         print ">> "
         case gets.chomp
-          when '1'
-            check_network
-            Spior::Iptables::tor(@network.card)
-          when '2'
-            Spior::Reload::tor
-          when '3'
-            Spior::Clear::all
-          when '4'
-            Spior::Status::info
-          when '5'
-            exit
+        when '1'
+          Spior::Iptables::Tor.new.run!
+        when '2'
+          Spior::Tor.restart
+        when '3'
+          Spior::Clear.all
+        when '4'
+          Spior::Status.info
+        when '5'
+          exit
         end
       end
     end
@@ -47,11 +39,5 @@ module Spior
       puts "┗━┛╹  ╹┗━┛╹┗╸"
       # generated with toilet -F crop -f future spior
     end
-
-    def check_network
-      if not @network
-        @network = Spior::Network.new
-      end
-    end
   end
 end

data/lib/spior/network.rb

@@ -1,5 +1,4 @@
 require 'interfacez'
-require_relative 'msg'
 
 module Spior
   class Network

data/lib/spior/options.rb

@@ -1,16 +1,11 @@
 require 'optparse'
-require_relative 'reload'
-require_relative 'status'
-require_relative 'clear'
-require_relative 'menu'
 
 module Spior
   class Options
-    attr_reader :install , :mac , :interface , :tor , :persist
+    attr_reader :install , :tor , :persist
 
     def initialize(argv)
       @install = false
-      @mac = false
       @tor = false
       @persist = false
       parse(argv)
@@ -24,24 +19,22 @@ module Spior
           @install = true
         end
 
-        opts.on("-n", "--net-card NAME", "The name of the target network card") do |net|
-          @interface = net
-        end
-
         opts.on("-t", "--tor", "Redirect traffic through TOR") do
           @tor = true
         end
 
         opts.on("-r", "--reload", "Reload TOR to change your ip") do
-          Spior::Reload::tor
+          Spior::Tor.restart
+          exit
         end
 
-        opts.on("-c", "--clear", "Clear iptables rules and restore files") do
-          Spior::Clear::all
+        opts.on("-c", "--clearnet", "Reset iptables and return to clearnet navigation") do
+          Spior::Clear.all
         end
 
         opts.on("-s", "--status", "Look infos about your current ip") do
-          Spior::Status::info
+          Spior::Status.info
+          exit
         end
 
         opts.on("-p", "--persist", "Active Spior at every boot.") do
@@ -49,7 +42,7 @@ module Spior
         end
 
         opts.on("-m", "--menu", "Display an interactive menu") do
-          Spior::Menu::run
+          Spior::Menu.run
         end
 
         opts.on("-h", "--help", "Show this message") do

data/lib/spior/persist.rb

@@ -1,83 +1,50 @@
 require 'nomansland'
 require 'tty-which'
-require_relative 'copy'
-require_relative 'msg'
-require_relative 'helpers'
 
 module Spior
   module Persist
     extend self
 
-    def all
-      @services=[ "tor", "iptables" ]
-      services
-      save_rules
-      search_for_systemd
-    end
-
-    private
-
-    # Install a systemd service where needed. TODO: test on more distrib
-    # no need on: archlinux
-    # need on: gentoo, debian, 
-    def services
-      return if !TTY::Which.exist?('systemctl') 
-      path_bin = "/sbin/iptables-restore"
-      path_rules = ""
+    def enable
       case Nomansland::distro?
       when :gentoo
-        path_rules = "/var/lib/iptables/rules-save"
-      when :debian
-        path_rules = "/etc/iptables/rules.v4"
+        for_gentoo
+      else
+        Msg.p "Your distro is not yet supported."
       end
-      string = <<EOF
-[Unit]
-Description=IPv4 Packet Filtering Framework for Spior
-Before=network-pre.target
-Wants=network-pre.target
+    end
 
-[Service]
-Type=oneshot
-ExecStart=#{path_bin} #{path_rules}
-ExecReload=#{path_bin} #{path_rules}
-RemainAfterExit=yes
+    private
 
-[Install]
-WantedBy=multi-user.target
-EOF
-      case Nomansland::distro?
-      when :gentoo
-        new_systemd = Helpers::NewSystemd.new(string, "iptables.services")
-        new_systemd.add
-        new_systemd.perm("root", "644")
+    def for_gentoo
+      if TTY::Which.exist?('systemctl')
+        systemd_start("iptables-store")
+        systemd_enable("iptables-restore")
+        systemd_enable("tor")
+      else
+        system("sudo /etc/init.d/iptables save")
+        rc_upd = Helpers::Exec.new("rc-update")
+        rc_upd.run("rc-update add iptables boot")
+        rc_upd.run("rc-update add tor")
+        rc_upd.run("rc-update add tor default")
       end
     end
 
-    def search_for_systemd
-      return if !TTY::Which.exist?('systemctl') 
-      @systemctl = Helpers::Exec.new("systemctl")
-      @iptables_save = Helpers::Exec.new("iptables-save")
-      Spior::Copy::systemd_services
-      @services.each do |service|
-        Msg.p "Search for service #{service}..."
-        `systemctl is-enabled #{service}`
-        if not $?.success? then
-          @systemctl.run("enable #{service}")
-        end
+    def systemd_enable(service)
+      systemctl = Helpers::Exec.new("systemctl")
+      Msg.p "Search for service #{service}..."
+      `systemctl is-enabled #{service}`
+      if not $?.success? then
+        systemctl.run("enable #{service}")
       end
     end
 
-    def save_rules
-      case Nomansland::installer?
-      when :pacman
-        @iptables_save.run("-f /etc/iptables/iptables.rules")
-      when :emerge
-        @systemctl = Helpers::Exec.new("systemctl")
-        @systemctl.run("start iptables-store")
-      when :apt_get
-        @iptables_save.run("> /etc/iptables/rules.v4")
-      else
-        Msg.report "Fail for save iptables-rule, your system is not yet supported"
+    def systemd_start(service)
+      systemctl = Helpers::Exec.new("systemctl")
+      Msg.p "Search for service #{service}..."
+      `systemctl is-active #{service}`
+      if not $?.success? then
+        systemctl.run("start #{service}")
       end
     end
   end

data/lib/spior/status.rb

@@ -1,20 +1,38 @@
-#!/usr/bin/env ruby
-
 require 'open-uri'
+require 'json'
 
 module Spior
-  class Status
+  module Status
+    def self.enable
+      begin
+        status = "Disable"
+        api_check = "https://check.torproject.org/api/ip"
+        URI.open(api_check) do |l|
+          hash = JSON.parse l.read
+          status = "Enable" if hash["IsTor"] == true
+        end
+        status
+      rescue OpenURI::HTTPError => error
+        res = error.io
+        puts "Fail to join server #{res.status}"
+      end
+    end
 
-    # TODO: if someone want help, i have trouble to make JSON.parse() work here
-    # the output is very very ugly !
     def self.info
-      uri = URI.parse("https://ipleak.net/json")
-      uri.open {|f|
-        f.each_line {|line|
-          p line.chomp.delete("/\",{}")
-        }
-      }
+      begin
+        api_check = "https://ipleak.net/json"
+        URI.open(api_check) do |l|
+          hash = JSON.parse l.read
+          puts
+          puts " Current ip  ===>  #{hash["ip"]}"
+          puts " Continent   ===>  #{hash["continent_name"]}"
+          puts " Timezone    ===>  #{hash["time_zone"]}"
+        end
+        puts " Status      ===>  #{enable}"
+      rescue OpenURI::HTTPError => error
+        res = error.io
+        puts "Fail to join server #{res.status}"
+      end
     end
-
   end
 end