RubyGems - spior - Versions diffs - 0.1.6 → 0.3.5 - Mend

spior 0.1.6 → 0.3.5

Files changed (44) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +0 -0
data/.github/workflows/rubocop-analysis.yml +47 -0
data/.gitignore +1 -0
data/CHANGELOG.md +21 -0
data/Gemfile +5 -0
data/README.md +13 -3
data/Rakefile +20 -9
data/bin/spior +1 -0
data/lib/auth.rb +46 -0
data/lib/spior/dep.rb +38 -23
data/lib/spior/helpers.rb +22 -25
data/lib/spior/iptables/default.rb +19 -13
data/lib/spior/iptables/root.rb +37 -37
data/lib/spior/iptables/rules.rb +103 -0
data/lib/spior/iptables/tor.rb +24 -23
data/lib/spior/iptables.rb +4 -0
data/lib/spior/ipv6.rb +35 -0
data/lib/spior/menu.rb +18 -24
data/lib/spior/msg.rb +30 -8
data/lib/spior/options.rb +20 -22
data/lib/spior/service/enable.rb +66 -0
data/lib/spior/service/restart.rb +5 -12
data/lib/spior/service/start.rb +7 -17
data/lib/spior/service/stop.rb +14 -0
data/lib/spior/service.rb +5 -0
data/lib/spior/status.rb +32 -24
data/lib/spior/tor/config.rb +137 -0
data/lib/spior/tor/data.rb +53 -0
data/lib/spior/tor/start.rb +65 -0
data/lib/spior/tor/stop.rb +53 -0
data/lib/spior/tor.rb +7 -1
data/lib/spior/version.rb +3 -1
data/lib/spior.rb +18 -23
data/spior.gemspec +24 -21
data/test/test_install.rb +2 -2
data/test/test_options.rb +2 -0
data.tar.gz.sig +2 -2
metadata +59 -51
metadata.gz.sig +0 -0
data/lib/spior/clear.rb +0 -35
data/lib/spior/copy.rb +0 -84
data/lib/spior/persist.rb +0 -51
data/lib/spior/tor/info.rb +0 -96

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc3cc3a5fd8b8a7ace72820d60d145efa04795f86a3381e3156178d4d4cfd09c
-  data.tar.gz: 8de21a9ee54c6dc50f3aad1e1a828dd92173c7a5b31571498af19d75b6fd20bf
+  metadata.gz: ecae8f75479fb87d8b09a28ea74c86728923802feb7b6c495af0c6e455dfc986
+  data.tar.gz: 442c8fbf6ea54e45b6b48abc4ba5de582ae09ae73bd71c1fce497ea082c929c1
 SHA512:
-  metadata.gz: acb66a1dd30e69c73f7ac79dbca7263fee90bd8bd6a8a1ace9dc7b35365a4996ce29aebde3d0652d1039f56ddcff259c29b739b8f3421bb9701b33a3d7b97c71
-  data.tar.gz: 284146408ef4dd90edf60e74f98488d0f5bf1ea92fdfff72edd30c219c26600c5e7934e71c7b54fc07bf7cf11a0e8b06ab31515d1314cc23ca570c029da551d3
+  metadata.gz: fe92411f967699b8cd29129f174030bb44a0d6ea2616fa5ff579e0879da63dfce83ce7bfeadfbed7e536141a882ff118315f730d3a26e45d8756bf9aed416130
+  data.tar.gz: 2195a94c764fcdecc221d2cea1688ca241901ac948cb02fb285b2c4c234b2f73335b2c44bd227014e795e32621b8221616dcaaecada2e95e779fad543d21ffff

checksums.yaml.gz.sig CHANGED Viewed

Binary file

data/.github/workflows/rubocop-analysis.yml ADDED Viewed

@@ -0,0 +1,47 @@
+# pulled from repo
+name: "Rubocop"
+on:
+  push:
+    branches: [ devel ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ devel ]
+  schedule:
+    - cron: '42 4 * * 6'
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v1
+    # If running on a self-hosted runner, check it meets the requirements
+    # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    # This step is not necessary if you add the gem to your Gemfile
+    - name: Install Code Scanning integration
+      run: bundle add code-scanning-rubocop --skip-install
+    - name: Install dependencies
+      run: bundle install
+    - name: Rubocop run
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: rubocop.sarif

data/.gitignore CHANGED Viewed

@@ -38,6 +38,7 @@ build-iPhoneSimulator/
 /_yardoc/
 /doc/
 /rdoc/
+/html/
 ## Environment normalization:
 /.bundle/

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,24 @@
+## 0.3.5, release 2023-10-26
+* Better code style, only 11 alerts from rubocop.
+* spior -t also block ipv6 traffic, no need to reboot.
+* Config is written at /etc/torrc.d/spior.conf and loaded with the native daemon.
+* Only '%include /etc/torrc.d/*.conf' is now added to /etc/tor/torrc.
+* Certificate update `certs/szorfein.pem`.
+## 0.2.8, release 2022-09-16
+* Spior used with `--clearnet` try to restore iptables rules found on your system, e.g: `/etc/iptables/iptables.rules` and `/etc/iptables/iptables.rules-backup` for Archlinux or use `Spior::Iptables::Default`.
+* Stdout enhanced.
+* Enhance `Spior::Dep` for install the dependencies.
+* Make `Spior::Persist` work for Archlinux.
+* Update `Spior::Menu`.
+* Start documenting code.
+* `spior --reload` make a new IP each time it called, `Spior::Service` was rewritten.
+* Spior can be configured with `Spior::CONFIG` if used as library.
+* Spior look options from the `/etc/tor/torrc` and use them if any.
+* Add Rubocop style, fix ~300 code reports.
+* Spior no longer backup/restore the file `/etc/tor/torrc`.
+* Certificate update `certs/szorfein.pem`.
 ## 0.1.6, release 2021-12-30
 * Make it work for Voidlinux.
 * Add a man page.

data/Gemfile ADDED Viewed

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+source 'https://rubygems.org'
+gem 'code-scanning-rubocop'

data/README.md CHANGED Viewed

@@ -4,11 +4,14 @@
 <br/>
 [![Gem Version](https://badge.fury.io/rb/spior.svg)](https://badge.fury.io/rb/spior)
+![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/spior/Rubocop/develop)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
 ![GitHub](https://img.shields.io/github/license/szorfein/spior)
 </div>
-(Spider|Tor) A tool to make TOR your default gateway.
+(Spider|Tor) A tool to redirect all your local traffic to the [Tor](https://www.torproject.org/) network.
 ## Install
 Spior is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.
@@ -19,10 +22,15 @@ And install the gem:
     $ gem install spior -P MediumSecurity
-Or user wide (Spior will use `sudo`)
+Or user wide (Spior will use `sudo`, `doas` will be supported in next release)
     $ gem install --user-install spior
+## Requirements
+Spior use `iptables` and `tor`, which can be installed with (if your distro is supported):
+    $ spior --install
 ## Usage
     $ spior -h
@@ -51,4 +59,6 @@ For any questions, comments, feedback or issues, submit a [new issue](https://gi
 ### links
 + https://rubyreferences.github.io/rubyref
-+ https://rubystyle.guide/
++ https://rubystyle.guide/
++ https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
++ https://github.com/epidemics-scepticism/writing/blob/master/misconception.md

data/Rakefile CHANGED Viewed

@@ -1,20 +1,31 @@
+# frozen_string_literal: true
 # https://github.com/seattlerb/minitest#running-your-tests-
-require "rake/testtask"
-require File.dirname(__FILE__) + "/lib/spior/version"
+require 'rake/testtask'
+require 'rdoc/task'
+require "#{File.dirname(__FILE__)}/lib/spior/version"
+# rake rdoc
+Rake::RDocTask.new('rdoc') do |rdoc|
+  rdoc.title = 'spior'
+  rdoc.options << '--line-numbers'
+  rdoc.main = 'README.md'
+  rdoc.rdoc_files.include 'lib/**/*.rb', 'README.md'
+end
 Rake::TestTask.new(:test) do |t|
-  t.libs << "test"
-  t.libs << "lib"
-  t.test_files = FileList["test/test_*.rb"]
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/test_*.rb']
 end
 namespace :gem do
-  desc "build the gem"
+  desc 'build the gem'
   task :build do
-    Dir["spior*.gem"].each {|f| File.unlink(f) }
-    system("gem build spior.gemspec")
+    Dir['spior*.gem'].each { |f| File.unlink(f) }
+    system('gem build spior.gemspec')
     system("gem install --user-install spior-#{Spior::VERSION}.gem -P MediumSecurity")
   end
 end
-task :default => :test
+task default: :test

data/bin/spior CHANGED Viewed

@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 require 'spior'

data/lib/auth.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# lib/auth.rb
+# frozen_string_literal: true
+require 'open3'
+# When action require privilege, Auth search on the system for sudo or doas.
+class Auth
+  def initialize
+    @auth = search_app
+  end
+  def mkdir(path)
+    return unless File.exist?(path)
+    x("mkdir -p #{path}")
+  end
+  def sysctl(flag, value)
+    return if flag.nil?
+    x("sysctl -w #{flag}=#{value}")
+  end
+  protected
+  def search_app
+    if File.exist?('/usr/bin/doas') || File.exist?('/bin/doas')
+      'doas'
+    elsif File.exist?('/usr/bin/sudo') || File.exist?('/bin/sudo')
+      'sudo'
+    else
+      warn 'No auth program found, Spior need few privileges.'
+    end
+  end
+  private
+  def x(args)
+    Open3.popen2e("#{@auth} #{args}") do |_, stdout, wait_thr|
+      puts stdout.gets while stdout.gets
+      exit_status = wait_thr.value
+      raise "An error expected with #{@auth} #{args}" unless exit_status.success?
+    end
+  end
+end

data/lib/spior/dep.rb CHANGED Viewed

@@ -1,37 +1,52 @@
+# frozen_string_literal: true
 require 'nomansland'
 require 'tty-which'
 module Spior
+  # Dep: install all dependencies for Spior
   module Dep
-    def self.check
-      deps = [ 'iptables', 'tor' ]
-      is_ok = true
-      Msg.p 'Searching dependencies...'
-      deps.each {|dep|
-        unless TTY::Which.exist? dep
-          Msg.err "-> #{dep} is lacked."
-          is_ok = false
-        end
-      }
-      exit 1 unless is_ok
+    module_function
+    def looking
+      case Nomansland.distro?
+      when :archlinux
+        installing_deps('Arch', %w[iptables tor])
+      when :debian
+        installing_deps('Debian', %w[iptables tor])
+      when :gentoo
+        installing_deps('Gentoo', %w[iptables tor])
+      when :void
+        installing_deps('Void', %w[iptables tor])
+      else
+        Msg.report 'Install for your distro is not yet supported.'
+      end
     end
-    def self.install
-      case Nomansland::installer?
+    def installing_deps(distro, names)
+      names.map do |n|
+        Msg.p "Search #{n} for #{distro}..."
+        install(n) unless search_dep(n)
+      end
+    end
+    def install(name)
+      case Nomansland.installer?
+      when :apt_get
+        Helpers::Exec.new('apt-get').run("install #{name}")
       when :emerge
-        Helpers::Exec.new('emerge -av').run('tor iptables')
+        Helpers::Exec.new('emerge').run("-av #{name}")
       when :pacman
-        Helpers::Exec.new('pacman -S').run('tor iptables')
-      when :yum
-        Helpers::Exec.new('yum install').run('tor iptables')
+        Helpers::Exec.new('pacman').run("-S #{name}")
       when :void
-        Helpers::Exec.new('xbps-install -y').run('tor iptables runit-iptables')
-      when :debian
-        Helpers::Exec.new('apt-get install').run('tor iptables iptables-persistent')
-      else
-        Msg.report 'Your system is not yet supported.'
+        Helpers::Exec.new('xbps-install').run("-y #{name}")
+      when :yum
+        Helpers::Exec.new('yum').run("install #{name}")
       end
-      exit 0
+    end
+    def search_dep(name)
+      TTY::Which.exist?(name) ? true : false
     end
   end
 end

data/lib/spior/helpers.rb CHANGED Viewed

@@ -1,8 +1,11 @@
+# frozen_string_literal: true
 require 'fileutils'
 require 'tempfile'
 require 'open3'
 module Helpers
+  # Execute program using sudo when permission is required
   class Exec
     def initialize(name)
       @search_uid = Process::Sys.getuid
@@ -10,16 +13,12 @@ module Helpers
     end
     def run(args)
-      cmd = @search_uid == '0' ? @name : "sudo #{@name}"
-      Open3.popen2e("#{cmd} #{args}") do |stdin, stdout_err, wait_thr|
-        while line = stdout_err.gets
-          puts line
-        end
+      cmd = (@search_uid == '0' ? @name : "sudo #{@name}")
+      Open3.popen2e("#{cmd} #{args}") do |_, stdout_err, wait_thr|
+        puts stdout_err.gets while stdout_err.gets
         exit_status = wait_thr.value
-        unless exit_status.success?
-          raise "Error, Running #{cmd} #{args}"
-        end
+        raise "Error, Running #{cmd} #{args}" unless exit_status.success?
       end
     end
   end
@@ -38,27 +37,25 @@ module Helpers
     # * _string_ = string for the whole file
     # * _name_ = name of the file (e.g: resolv.conf)
     # * _dest_ = path (e.g: /etc)
-    def initialize(string, name, dest = "/tmp")
+    def initialize(string, name, dest = '/tmp')
       @string = string
       @name = name
-      @dest = dest + "/" + @name
+      @dest = "#{dest}/#{@name}"
     end
     # Method #add
     # Add the file at @dest
     def add
-      @mv = Helpers::Exec.new("mv")
+      @mv = Helpers::Exec.new('mv')
       tmp = Tempfile.new(@name)
-      File.open(tmp.path, 'w') do |file|
-        file.puts @string
-      end
+      File.write tmp.path, "#{@string}\n"
       puts "move #{tmp.path} to #{@dest}"
       @mv.run("#{tmp.path} #{@dest}")
     end
     def perm(user, perm)
-      chown = Helpers::Exec.new("chown")
-      chmod = Helpers::Exec.new("chmod")
+      chown = Helpers::Exec.new('chown')
+      chmod = Helpers::Exec.new('chmod')
       chown.run("#{user}:#{user} #{@dest}")
       chmod.run("#{perm} #{@dest}")
     end
@@ -88,30 +85,30 @@ module Helpers
     def initialize(string, name)
       super
       @systemd_dir = search_systemd_dir
-      @dest = @systemd_dir + "/" + @name
+      @dest = "#{@systemd_dir}/#{@name}"
     end
     # Method #add
     # Create a temporary file and move
     # the service @name to the systemd directory
     def add
-      @systemctl = Helpers::Exec.new("systemctl")
+      @systemctl = Helpers::Exec.new('systemctl')
       super
-      @systemctl.run("daemon-reload")
+      @systemctl.run('daemon-reload')
     end
     private
     # Method search_systemd_dir
     # Search the current directory for systemd services
     # + Gentoo can install at /lib/systemd/system or /usr/lib/systemd/system
     def search_systemd_dir
-      if Dir.exist? "/lib/systemd/system"
-        "/lib/systemd/system"
-      elsif Dir.exist? "/usr/lib/systemd/system"
-        "/usr/lib/systemd/system"
+      if Dir.exist? '/lib/systemd/system'
+        '/lib/systemd/system'
+      elsif Dir.exist? '/usr/lib/systemd/system'
+        '/usr/lib/systemd/system'
       else
-        raise "No directory systemd found"
-        exit
+        raise 'No directory systemd found'
       end
     end
   end

data/lib/spior/iptables/default.rb CHANGED Viewed

@@ -1,37 +1,43 @@
+# frozen_string_literal: true
 module Spior
   module Iptables
+    # Default and generic Iptables rules when Tor is not used.
+    #
+    # Allowed ports:
+    # * Input 22: for ssh connection
     class Default < Iptables::Root
       private
       def input
         # SSH
-        ipt "-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        ipt '-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT'
         # Allow loopback, rules
         ipt "-A INPUT -i #{@lo} -j ACCEPT"
         # Accept related
-        ipt "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+        ipt '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
       end
       def output
-        ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
-        ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
+        ipt '-A OUTPUT -m conntrack --ctstate INVALID -j DROP'
+        ipt '-A OUTPUT -m state --state ESTABLISHED -j ACCEPT'
         # Allow SSH
-        ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
+        ipt '-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT'
         # Allow Loopback
         ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
         # Default
-        ipt "-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
+        ipt '-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT'
       end
       def all
-        ipt "-t filter -A OUTPUT -p udp -j ACCEPT"
-        ipt "-t filter -A OUTPUT -p icmp -j REJECT"
-        ipt "-P INPUT ACCEPT"
-        ipt "-P FORWARD ACCEPT"
-        ipt "-P OUTPUT ACCEPT"
+        ipt '-t filter -A OUTPUT -p udp -j ACCEPT'
+        ipt '-t filter -A OUTPUT -p icmp -j REJECT'
+        ipt '-P INPUT ACCEPT'
+        ipt '-P FORWARD ACCEPT'
+        ipt '-P OUTPUT ACCEPT'
       end
     end
   end

data/lib/spior/iptables/root.rb CHANGED Viewed

@@ -1,13 +1,16 @@
+# frozen_string_literal: true
 require 'interfacez'
 module Spior
   module Iptables
+    # Base class for iptables
     class Root
       def initialize
         @lo      = Interfacez.loopback
         @lo_addr = Interfacez.ipv4_address_of(@lo)
-        @i = Helpers::Exec.new("iptables")
-        Spior::Copy.new.save
+        @i = Helpers::Exec.new('iptables')
+        @debug = false
       end
       def run!
@@ -22,63 +25,60 @@ module Spior
       end
       def stop!
-        ipt "-F"
-        ipt "-X"
-        ipt "-t nat -F"
-        ipt "-t nat -X"
-        ipt "-t mangle -F"
-        ipt "-t mangle -X"
+        Msg.p 'Clearing Iptables rules...'
+        ipt '-F'
+        ipt '-X'
+        ipt '-t nat -F'
+        ipt '-t nat -X'
+        ipt '-t mangle -F'
+        ipt '-t mangle -X'
       end
       private
       def ipt(line)
-        @i.run("#{line}")
-        puts "added - #{@i} #{line}"
+        @i.run(line.to_s)
+        puts "Added - iptables #{line}" if @debug
       end
-      def redirect
-      end
+      def redirect; end
-      def input
-      end
+      def input; end
-      def output
-      end
+      def output; end
-      def all
-      end
+      def all; end
       def bogus_tcp_flags
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
-        ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP'
+        ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP'
       end
       def bad_packets
         # new packet not syn
-        ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
+        ipt '-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP'
         # fragment  packet
-        ipt "-A INPUT -f -j DROP"
+        ipt '-A INPUT -f -j DROP'
         # XMAS
-        ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
+        ipt '-A INPUT -p tcp --tcp-flags ALL ALL -j DROP'
         # null packet
-        ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
+        ipt '-A INPUT -p tcp --tcp-flags ALL NONE -j DROP'
       end
       def spoofing
-        subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
-        subs.each do |sub|
+        subs = %w[224.0.0.0/3 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 0.0.0.0/8 240.0.0.0/5]
+        subs.map do |sub|
           ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
         end
         ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"