spior 0.1.6 → 0.3.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/.github/workflows/rubocop-analysis.yml +47 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +21 -0
- data/Gemfile +5 -0
- data/README.md +13 -3
- data/Rakefile +20 -9
- data/bin/spior +1 -0
- data/lib/auth.rb +46 -0
- data/lib/spior/dep.rb +38 -23
- data/lib/spior/helpers.rb +22 -25
- data/lib/spior/iptables/default.rb +19 -13
- data/lib/spior/iptables/root.rb +37 -37
- data/lib/spior/iptables/rules.rb +103 -0
- data/lib/spior/iptables/tor.rb +24 -23
- data/lib/spior/iptables.rb +4 -0
- data/lib/spior/ipv6.rb +35 -0
- data/lib/spior/menu.rb +18 -24
- data/lib/spior/msg.rb +30 -8
- data/lib/spior/options.rb +20 -22
- data/lib/spior/service/enable.rb +66 -0
- data/lib/spior/service/restart.rb +5 -12
- data/lib/spior/service/start.rb +7 -17
- data/lib/spior/service/stop.rb +14 -0
- data/lib/spior/service.rb +5 -0
- data/lib/spior/status.rb +32 -24
- data/lib/spior/tor/config.rb +137 -0
- data/lib/spior/tor/data.rb +53 -0
- data/lib/spior/tor/start.rb +65 -0
- data/lib/spior/tor/stop.rb +53 -0
- data/lib/spior/tor.rb +7 -1
- data/lib/spior/version.rb +3 -1
- data/lib/spior.rb +18 -23
- data/spior.gemspec +24 -21
- data/test/test_install.rb +2 -2
- data/test/test_options.rb +2 -0
- data.tar.gz.sig +2 -2
- metadata +59 -51
- metadata.gz.sig +0 -0
- data/lib/spior/clear.rb +0 -35
- data/lib/spior/copy.rb +0 -84
- data/lib/spior/persist.rb +0 -51
- data/lib/spior/tor/info.rb +0 -96
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ecae8f75479fb87d8b09a28ea74c86728923802feb7b6c495af0c6e455dfc986
|
4
|
+
data.tar.gz: 442c8fbf6ea54e45b6b48abc4ba5de582ae09ae73bd71c1fce497ea082c929c1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fe92411f967699b8cd29129f174030bb44a0d6ea2616fa5ff579e0879da63dfce83ce7bfeadfbed7e536141a882ff118315f730d3a26e45d8756bf9aed416130
|
7
|
+
data.tar.gz: 2195a94c764fcdecc221d2cea1688ca241901ac948cb02fb285b2c4c234b2f73335b2c44bd227014e795e32621b8221616dcaaecada2e95e779fad543d21ffff
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# pulled from repo
|
2
|
+
name: "Rubocop"
|
3
|
+
|
4
|
+
on:
|
5
|
+
push:
|
6
|
+
branches: [ devel ]
|
7
|
+
pull_request:
|
8
|
+
# The branches below must be a subset of the branches above
|
9
|
+
branches: [ devel ]
|
10
|
+
schedule:
|
11
|
+
- cron: '42 4 * * 6'
|
12
|
+
|
13
|
+
jobs:
|
14
|
+
rubocop:
|
15
|
+
runs-on: ubuntu-latest
|
16
|
+
strategy:
|
17
|
+
fail-fast: false
|
18
|
+
|
19
|
+
steps:
|
20
|
+
- name: Checkout repository
|
21
|
+
uses: actions/checkout@v1
|
22
|
+
|
23
|
+
# If running on a self-hosted runner, check it meets the requirements
|
24
|
+
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
|
25
|
+
- name: Set up Ruby
|
26
|
+
uses: ruby/setup-ruby@v1
|
27
|
+
with:
|
28
|
+
ruby-version: 2.6
|
29
|
+
|
30
|
+
# This step is not necessary if you add the gem to your Gemfile
|
31
|
+
- name: Install Code Scanning integration
|
32
|
+
run: bundle add code-scanning-rubocop --skip-install
|
33
|
+
|
34
|
+
- name: Install dependencies
|
35
|
+
run: bundle install
|
36
|
+
|
37
|
+
- name: Rubocop run
|
38
|
+
run: |
|
39
|
+
bash -c "
|
40
|
+
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
|
41
|
+
[[ $? -ne 2 ]]
|
42
|
+
"
|
43
|
+
|
44
|
+
- name: Upload Sarif output
|
45
|
+
uses: github/codeql-action/upload-sarif@v2
|
46
|
+
with:
|
47
|
+
sarif_file: rubocop.sarif
|
data/.gitignore
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,24 @@
|
|
1
|
+
## 0.3.5, release 2023-10-26
|
2
|
+
* Better code style, only 11 alerts from rubocop.
|
3
|
+
* spior -t also block ipv6 traffic, no need to reboot.
|
4
|
+
* Config is written at /etc/torrc.d/spior.conf and loaded with the native daemon.
|
5
|
+
* Only '%include /etc/torrc.d/*.conf' is now added to /etc/tor/torrc.
|
6
|
+
* Certificate update `certs/szorfein.pem`.
|
7
|
+
|
8
|
+
## 0.2.8, release 2022-09-16
|
9
|
+
* Spior used with `--clearnet` try to restore iptables rules found on your system, e.g: `/etc/iptables/iptables.rules` and `/etc/iptables/iptables.rules-backup` for Archlinux or use `Spior::Iptables::Default`.
|
10
|
+
* Stdout enhanced.
|
11
|
+
* Enhance `Spior::Dep` for install the dependencies.
|
12
|
+
* Make `Spior::Persist` work for Archlinux.
|
13
|
+
* Update `Spior::Menu`.
|
14
|
+
* Start documenting code.
|
15
|
+
* `spior --reload` make a new IP each time it called, `Spior::Service` was rewritten.
|
16
|
+
* Spior can be configured with `Spior::CONFIG` if used as library.
|
17
|
+
* Spior look options from the `/etc/tor/torrc` and use them if any.
|
18
|
+
* Add Rubocop style, fix ~300 code reports.
|
19
|
+
* Spior no longer backup/restore the file `/etc/tor/torrc`.
|
20
|
+
* Certificate update `certs/szorfein.pem`.
|
21
|
+
|
1
22
|
## 0.1.6, release 2021-12-30
|
2
23
|
* Make it work for Voidlinux.
|
3
24
|
* Add a man page.
|
data/Gemfile
ADDED
data/README.md
CHANGED
@@ -4,11 +4,14 @@
|
|
4
4
|
<br/>
|
5
5
|
|
6
6
|
[![Gem Version](https://badge.fury.io/rb/spior.svg)](https://badge.fury.io/rb/spior)
|
7
|
+
![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/spior/Rubocop/develop)
|
8
|
+
[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
|
7
9
|
![GitHub](https://img.shields.io/github/license/szorfein/spior)
|
8
10
|
|
9
11
|
</div>
|
10
12
|
|
11
|
-
|
13
|
+
|
14
|
+
(Spider|Tor) A tool to redirect all your local traffic to the [Tor](https://www.torproject.org/) network.
|
12
15
|
|
13
16
|
## Install
|
14
17
|
Spior is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.
|
@@ -19,10 +22,15 @@ And install the gem:
|
|
19
22
|
|
20
23
|
$ gem install spior -P MediumSecurity
|
21
24
|
|
22
|
-
Or user wide (Spior will use `sudo`)
|
25
|
+
Or user wide (Spior will use `sudo`, `doas` will be supported in next release)
|
23
26
|
|
24
27
|
$ gem install --user-install spior
|
25
28
|
|
29
|
+
## Requirements
|
30
|
+
Spior use `iptables` and `tor`, which can be installed with (if your distro is supported):
|
31
|
+
|
32
|
+
$ spior --install
|
33
|
+
|
26
34
|
## Usage
|
27
35
|
|
28
36
|
$ spior -h
|
@@ -51,4 +59,6 @@ For any questions, comments, feedback or issues, submit a [new issue](https://gi
|
|
51
59
|
|
52
60
|
### links
|
53
61
|
+ https://rubyreferences.github.io/rubyref
|
54
|
-
+ https://rubystyle.guide/
|
62
|
+
+ https://rubystyle.guide/
|
63
|
+
+ https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
|
64
|
+
+ https://github.com/epidemics-scepticism/writing/blob/master/misconception.md
|
data/Rakefile
CHANGED
@@ -1,20 +1,31 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# https://github.com/seattlerb/minitest#running-your-tests-
|
2
|
-
require
|
3
|
-
require
|
4
|
+
require 'rake/testtask'
|
5
|
+
require 'rdoc/task'
|
6
|
+
require "#{File.dirname(__FILE__)}/lib/spior/version"
|
7
|
+
|
8
|
+
# rake rdoc
|
9
|
+
Rake::RDocTask.new('rdoc') do |rdoc|
|
10
|
+
rdoc.title = 'spior'
|
11
|
+
rdoc.options << '--line-numbers'
|
12
|
+
rdoc.main = 'README.md'
|
13
|
+
rdoc.rdoc_files.include 'lib/**/*.rb', 'README.md'
|
14
|
+
end
|
4
15
|
|
5
16
|
Rake::TestTask.new(:test) do |t|
|
6
|
-
t.libs <<
|
7
|
-
t.libs <<
|
8
|
-
t.test_files = FileList[
|
17
|
+
t.libs << 'test'
|
18
|
+
t.libs << 'lib'
|
19
|
+
t.test_files = FileList['test/test_*.rb']
|
9
20
|
end
|
10
21
|
|
11
22
|
namespace :gem do
|
12
|
-
desc
|
23
|
+
desc 'build the gem'
|
13
24
|
task :build do
|
14
|
-
Dir[
|
15
|
-
system(
|
25
|
+
Dir['spior*.gem'].each { |f| File.unlink(f) }
|
26
|
+
system('gem build spior.gemspec')
|
16
27
|
system("gem install --user-install spior-#{Spior::VERSION}.gem -P MediumSecurity")
|
17
28
|
end
|
18
29
|
end
|
19
30
|
|
20
|
-
task :
|
31
|
+
task default: :test
|
data/bin/spior
CHANGED
data/lib/auth.rb
ADDED
@@ -0,0 +1,46 @@
|
|
1
|
+
# lib/auth.rb
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'open3'
|
5
|
+
|
6
|
+
# When action require privilege, Auth search on the system for sudo or doas.
|
7
|
+
class Auth
|
8
|
+
def initialize
|
9
|
+
@auth = search_app
|
10
|
+
end
|
11
|
+
|
12
|
+
def mkdir(path)
|
13
|
+
return unless File.exist?(path)
|
14
|
+
|
15
|
+
x("mkdir -p #{path}")
|
16
|
+
end
|
17
|
+
|
18
|
+
def sysctl(flag, value)
|
19
|
+
return if flag.nil?
|
20
|
+
|
21
|
+
x("sysctl -w #{flag}=#{value}")
|
22
|
+
end
|
23
|
+
|
24
|
+
protected
|
25
|
+
|
26
|
+
def search_app
|
27
|
+
if File.exist?('/usr/bin/doas') || File.exist?('/bin/doas')
|
28
|
+
'doas'
|
29
|
+
elsif File.exist?('/usr/bin/sudo') || File.exist?('/bin/sudo')
|
30
|
+
'sudo'
|
31
|
+
else
|
32
|
+
warn 'No auth program found, Spior need few privileges.'
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
private
|
37
|
+
|
38
|
+
def x(args)
|
39
|
+
Open3.popen2e("#{@auth} #{args}") do |_, stdout, wait_thr|
|
40
|
+
puts stdout.gets while stdout.gets
|
41
|
+
|
42
|
+
exit_status = wait_thr.value
|
43
|
+
raise "An error expected with #{@auth} #{args}" unless exit_status.success?
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
data/lib/spior/dep.rb
CHANGED
@@ -1,37 +1,52 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'nomansland'
|
2
4
|
require 'tty-which'
|
3
5
|
|
4
6
|
module Spior
|
7
|
+
# Dep: install all dependencies for Spior
|
5
8
|
module Dep
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
9
|
+
module_function
|
10
|
+
|
11
|
+
def looking
|
12
|
+
case Nomansland.distro?
|
13
|
+
when :archlinux
|
14
|
+
installing_deps('Arch', %w[iptables tor])
|
15
|
+
when :debian
|
16
|
+
installing_deps('Debian', %w[iptables tor])
|
17
|
+
when :gentoo
|
18
|
+
installing_deps('Gentoo', %w[iptables tor])
|
19
|
+
when :void
|
20
|
+
installing_deps('Void', %w[iptables tor])
|
21
|
+
else
|
22
|
+
Msg.report 'Install for your distro is not yet supported.'
|
23
|
+
end
|
17
24
|
end
|
18
25
|
|
19
|
-
def
|
20
|
-
|
26
|
+
def installing_deps(distro, names)
|
27
|
+
names.map do |n|
|
28
|
+
Msg.p "Search #{n} for #{distro}..."
|
29
|
+
install(n) unless search_dep(n)
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
def install(name)
|
34
|
+
case Nomansland.installer?
|
35
|
+
when :apt_get
|
36
|
+
Helpers::Exec.new('apt-get').run("install #{name}")
|
21
37
|
when :emerge
|
22
|
-
Helpers::Exec.new('emerge
|
38
|
+
Helpers::Exec.new('emerge').run("-av #{name}")
|
23
39
|
when :pacman
|
24
|
-
Helpers::Exec.new('pacman
|
25
|
-
when :yum
|
26
|
-
Helpers::Exec.new('yum install').run('tor iptables')
|
40
|
+
Helpers::Exec.new('pacman').run("-S #{name}")
|
27
41
|
when :void
|
28
|
-
Helpers::Exec.new('xbps-install
|
29
|
-
when :
|
30
|
-
Helpers::Exec.new('
|
31
|
-
else
|
32
|
-
Msg.report 'Your system is not yet supported.'
|
42
|
+
Helpers::Exec.new('xbps-install').run("-y #{name}")
|
43
|
+
when :yum
|
44
|
+
Helpers::Exec.new('yum').run("install #{name}")
|
33
45
|
end
|
34
|
-
|
46
|
+
end
|
47
|
+
|
48
|
+
def search_dep(name)
|
49
|
+
TTY::Which.exist?(name) ? true : false
|
35
50
|
end
|
36
51
|
end
|
37
52
|
end
|
data/lib/spior/helpers.rb
CHANGED
@@ -1,8 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'fileutils'
|
2
4
|
require 'tempfile'
|
3
5
|
require 'open3'
|
4
6
|
|
5
7
|
module Helpers
|
8
|
+
# Execute program using sudo when permission is required
|
6
9
|
class Exec
|
7
10
|
def initialize(name)
|
8
11
|
@search_uid = Process::Sys.getuid
|
@@ -10,16 +13,12 @@ module Helpers
|
|
10
13
|
end
|
11
14
|
|
12
15
|
def run(args)
|
13
|
-
cmd = @search_uid == '0' ? @name : "sudo #{@name}"
|
14
|
-
Open3.popen2e("#{cmd} #{args}") do |
|
15
|
-
|
16
|
-
puts line
|
17
|
-
end
|
16
|
+
cmd = (@search_uid == '0' ? @name : "sudo #{@name}")
|
17
|
+
Open3.popen2e("#{cmd} #{args}") do |_, stdout_err, wait_thr|
|
18
|
+
puts stdout_err.gets while stdout_err.gets
|
18
19
|
|
19
20
|
exit_status = wait_thr.value
|
20
|
-
unless exit_status.success?
|
21
|
-
raise "Error, Running #{cmd} #{args}"
|
22
|
-
end
|
21
|
+
raise "Error, Running #{cmd} #{args}" unless exit_status.success?
|
23
22
|
end
|
24
23
|
end
|
25
24
|
end
|
@@ -38,27 +37,25 @@ module Helpers
|
|
38
37
|
# * _string_ = string for the whole file
|
39
38
|
# * _name_ = name of the file (e.g: resolv.conf)
|
40
39
|
# * _dest_ = path (e.g: /etc)
|
41
|
-
def initialize(string, name, dest =
|
40
|
+
def initialize(string, name, dest = '/tmp')
|
42
41
|
@string = string
|
43
42
|
@name = name
|
44
|
-
@dest = dest
|
43
|
+
@dest = "#{dest}/#{@name}"
|
45
44
|
end
|
46
45
|
|
47
46
|
# Method #add
|
48
47
|
# Add the file at @dest
|
49
48
|
def add
|
50
|
-
@mv = Helpers::Exec.new(
|
49
|
+
@mv = Helpers::Exec.new('mv')
|
51
50
|
tmp = Tempfile.new(@name)
|
52
|
-
File.
|
53
|
-
file.puts @string
|
54
|
-
end
|
51
|
+
File.write tmp.path, "#{@string}\n"
|
55
52
|
puts "move #{tmp.path} to #{@dest}"
|
56
53
|
@mv.run("#{tmp.path} #{@dest}")
|
57
54
|
end
|
58
55
|
|
59
56
|
def perm(user, perm)
|
60
|
-
chown = Helpers::Exec.new(
|
61
|
-
chmod = Helpers::Exec.new(
|
57
|
+
chown = Helpers::Exec.new('chown')
|
58
|
+
chmod = Helpers::Exec.new('chmod')
|
62
59
|
chown.run("#{user}:#{user} #{@dest}")
|
63
60
|
chmod.run("#{perm} #{@dest}")
|
64
61
|
end
|
@@ -88,30 +85,30 @@ module Helpers
|
|
88
85
|
def initialize(string, name)
|
89
86
|
super
|
90
87
|
@systemd_dir = search_systemd_dir
|
91
|
-
@dest = @systemd_dir
|
88
|
+
@dest = "#{@systemd_dir}/#{@name}"
|
92
89
|
end
|
93
90
|
|
94
91
|
# Method #add
|
95
92
|
# Create a temporary file and move
|
96
93
|
# the service @name to the systemd directory
|
97
94
|
def add
|
98
|
-
@systemctl = Helpers::Exec.new(
|
95
|
+
@systemctl = Helpers::Exec.new('systemctl')
|
99
96
|
super
|
100
|
-
@systemctl.run(
|
97
|
+
@systemctl.run('daemon-reload')
|
101
98
|
end
|
102
99
|
|
103
100
|
private
|
101
|
+
|
104
102
|
# Method search_systemd_dir
|
105
103
|
# Search the current directory for systemd services
|
106
104
|
# + Gentoo can install at /lib/systemd/system or /usr/lib/systemd/system
|
107
105
|
def search_systemd_dir
|
108
|
-
if Dir.exist?
|
109
|
-
|
110
|
-
elsif Dir.exist?
|
111
|
-
|
106
|
+
if Dir.exist? '/lib/systemd/system'
|
107
|
+
'/lib/systemd/system'
|
108
|
+
elsif Dir.exist? '/usr/lib/systemd/system'
|
109
|
+
'/usr/lib/systemd/system'
|
112
110
|
else
|
113
|
-
raise
|
114
|
-
exit
|
111
|
+
raise 'No directory systemd found'
|
115
112
|
end
|
116
113
|
end
|
117
114
|
end
|
@@ -1,37 +1,43 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Spior
|
2
4
|
module Iptables
|
5
|
+
# Default and generic Iptables rules when Tor is not used.
|
6
|
+
#
|
7
|
+
# Allowed ports:
|
8
|
+
# * Input 22: for ssh connection
|
3
9
|
class Default < Iptables::Root
|
4
10
|
private
|
5
|
-
|
11
|
+
|
6
12
|
def input
|
7
13
|
# SSH
|
8
|
-
ipt
|
14
|
+
ipt '-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT'
|
9
15
|
# Allow loopback, rules
|
10
16
|
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
11
17
|
# Accept related
|
12
|
-
ipt
|
18
|
+
ipt '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
|
13
19
|
end
|
14
20
|
|
15
21
|
def output
|
16
|
-
ipt
|
17
|
-
ipt
|
22
|
+
ipt '-A OUTPUT -m conntrack --ctstate INVALID -j DROP'
|
23
|
+
ipt '-A OUTPUT -m state --state ESTABLISHED -j ACCEPT'
|
18
24
|
|
19
25
|
# Allow SSH
|
20
|
-
ipt
|
26
|
+
ipt '-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT'
|
21
27
|
|
22
28
|
# Allow Loopback
|
23
29
|
ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
|
24
30
|
|
25
31
|
# Default
|
26
|
-
ipt
|
32
|
+
ipt '-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT'
|
27
33
|
end
|
28
|
-
|
34
|
+
|
29
35
|
def all
|
30
|
-
ipt
|
31
|
-
ipt
|
32
|
-
ipt
|
33
|
-
ipt
|
34
|
-
ipt
|
36
|
+
ipt '-t filter -A OUTPUT -p udp -j ACCEPT'
|
37
|
+
ipt '-t filter -A OUTPUT -p icmp -j REJECT'
|
38
|
+
ipt '-P INPUT ACCEPT'
|
39
|
+
ipt '-P FORWARD ACCEPT'
|
40
|
+
ipt '-P OUTPUT ACCEPT'
|
35
41
|
end
|
36
42
|
end
|
37
43
|
end
|
data/lib/spior/iptables/root.rb
CHANGED
@@ -1,13 +1,16 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'interfacez'
|
2
4
|
|
3
5
|
module Spior
|
4
6
|
module Iptables
|
7
|
+
# Base class for iptables
|
5
8
|
class Root
|
6
9
|
def initialize
|
7
10
|
@lo = Interfacez.loopback
|
8
11
|
@lo_addr = Interfacez.ipv4_address_of(@lo)
|
9
|
-
@i = Helpers::Exec.new(
|
10
|
-
|
12
|
+
@i = Helpers::Exec.new('iptables')
|
13
|
+
@debug = false
|
11
14
|
end
|
12
15
|
|
13
16
|
def run!
|
@@ -22,63 +25,60 @@ module Spior
|
|
22
25
|
end
|
23
26
|
|
24
27
|
def stop!
|
25
|
-
|
26
|
-
ipt
|
27
|
-
ipt
|
28
|
-
ipt
|
29
|
-
ipt
|
30
|
-
ipt
|
28
|
+
Msg.p 'Clearing Iptables rules...'
|
29
|
+
ipt '-F'
|
30
|
+
ipt '-X'
|
31
|
+
ipt '-t nat -F'
|
32
|
+
ipt '-t nat -X'
|
33
|
+
ipt '-t mangle -F'
|
34
|
+
ipt '-t mangle -X'
|
31
35
|
end
|
32
36
|
|
33
37
|
private
|
34
38
|
|
35
39
|
def ipt(line)
|
36
|
-
@i.run(
|
37
|
-
puts "
|
40
|
+
@i.run(line.to_s)
|
41
|
+
puts "Added - iptables #{line}" if @debug
|
38
42
|
end
|
39
43
|
|
40
|
-
def redirect
|
41
|
-
end
|
44
|
+
def redirect; end
|
42
45
|
|
43
|
-
def input
|
44
|
-
end
|
46
|
+
def input; end
|
45
47
|
|
46
|
-
def output
|
47
|
-
end
|
48
|
+
def output; end
|
48
49
|
|
49
|
-
def all
|
50
|
-
end
|
50
|
+
def all; end
|
51
51
|
|
52
52
|
def bogus_tcp_flags
|
53
|
-
ipt
|
54
|
-
ipt
|
55
|
-
ipt
|
56
|
-
ipt
|
57
|
-
ipt
|
58
|
-
ipt
|
59
|
-
ipt
|
60
|
-
ipt
|
61
|
-
ipt
|
62
|
-
ipt
|
63
|
-
ipt
|
64
|
-
ipt
|
65
|
-
ipt
|
53
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP'
|
54
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP'
|
55
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP'
|
56
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP'
|
57
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP'
|
58
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP'
|
59
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP'
|
60
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP'
|
61
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP'
|
62
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP'
|
63
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP'
|
64
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP'
|
65
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP'
|
66
66
|
end
|
67
67
|
|
68
68
|
def bad_packets
|
69
69
|
# new packet not syn
|
70
|
-
ipt
|
70
|
+
ipt '-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP'
|
71
71
|
# fragment packet
|
72
|
-
ipt
|
72
|
+
ipt '-A INPUT -f -j DROP'
|
73
73
|
# XMAS
|
74
|
-
ipt
|
74
|
+
ipt '-A INPUT -p tcp --tcp-flags ALL ALL -j DROP'
|
75
75
|
# null packet
|
76
|
-
ipt
|
76
|
+
ipt '-A INPUT -p tcp --tcp-flags ALL NONE -j DROP'
|
77
77
|
end
|
78
78
|
|
79
79
|
def spoofing
|
80
|
-
subs=[
|
81
|
-
subs.
|
80
|
+
subs = %w[224.0.0.0/3 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 0.0.0.0/8 240.0.0.0/5]
|
81
|
+
subs.map do |sub|
|
82
82
|
ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
|
83
83
|
end
|
84
84
|
ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
|