spior 0.1.4 → 0.1.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGELOG.md +7 -0
- data/README.md +7 -4
- data/Rakefile +2 -1
- data/bin/spior +2 -3
- data/lib/spior.rb +42 -0
- data/lib/spior/clear.rb +13 -18
- data/lib/spior/copy.rb +63 -98
- data/lib/spior/helpers.rb +13 -7
- data/lib/spior/install.rb +0 -3
- data/lib/spior/iptables.rb +5 -183
- data/lib/spior/iptables/default.rb +38 -0
- data/lib/spior/iptables/root.rb +92 -0
- data/lib/spior/iptables/tor.rb +64 -0
- data/lib/spior/menu.rb +10 -24
- data/lib/spior/network.rb +0 -1
- data/lib/spior/options.rb +8 -15
- data/lib/spior/persist.rb +29 -62
- data/lib/spior/status.rb +30 -12
- data/lib/spior/tor.rb +4 -104
- data/lib/spior/tor/info.rb +113 -0
- data/lib/spior/{reload.rb → tor/restart.rb} +3 -4
- data/lib/spior/version.rb +3 -0
- data/spior.gemspec +3 -1
- metadata +11 -9
- metadata.gz.sig +0 -0
- data/ext/ssh.conf +0 -29
- data/ext/sshd.conf +0 -46
- data/ext/sshuttle.service +0 -11
- data/lib/spior/runner.rb +0 -34
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 52ad58e21c256642931525e2625cb10e14a74ad17ea95825940b87f6d667fdac
|
4
|
+
data.tar.gz: 143940314f5a3e3387f094cdeb6c371a0e34a2227b803f9cb0eaeebc8ebb512d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: eadbf46e6b47eb820fbd88fd3d71c31183ca49a611ac0c6e0576724abc6357d6409fbf2edc9f69d38441889f262102af47f6fecadc2fe82bcbeea856d0557dc1
|
7
|
+
data.tar.gz: f774d5a4bec3474eccaf71e8495fc813cf71681fe609e7f7d1b6bf8e386d46c525bb138b4538f23cb4634706a578cbca96bac80fc85bb37c9700c99aff984ef1
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,10 @@
|
|
1
|
+
## 0.1.5, release 2020-11-01
|
2
|
+
* Simplify lib/spior/copy, lib/spior/clear
|
3
|
+
* Write iptables rules for --clearnet and --tor
|
4
|
+
* Refacto code
|
5
|
+
* Enhance --status with open-uri and json
|
6
|
+
* Remove argument --net-card
|
7
|
+
|
1
8
|
## 0.1.4, release 2020-05-21
|
2
9
|
* torrc and resolv.conf are generate dynamically
|
3
10
|
* Remove conf/resolv
|
data/README.md
CHANGED
@@ -17,16 +17,19 @@ And install the gem
|
|
17
17
|
### Examples
|
18
18
|
Redirect traffic through TOR:
|
19
19
|
|
20
|
-
$ spior
|
21
|
-
$ spior -t -n eth0
|
20
|
+
$ spior --tor
|
22
21
|
|
23
22
|
Change your ip address by reloading the TOR circuit:
|
24
23
|
|
25
|
-
$ spior
|
24
|
+
$ spior --reload
|
26
25
|
|
27
26
|
Look informations about your current ip address:
|
28
27
|
|
29
|
-
$ spior
|
28
|
+
$ spior --status
|
29
|
+
|
30
|
+
Return to clearnet navigation
|
31
|
+
|
32
|
+
$ spior --clearnet
|
30
33
|
|
31
34
|
## Left Over
|
32
35
|
|
data/Rakefile
CHANGED
@@ -1,5 +1,6 @@
|
|
1
1
|
# https://github.com/seattlerb/minitest#running-your-tests-
|
2
2
|
require "rake/testtask"
|
3
|
+
require File.dirname(__FILE__) + "/lib/spior/version"
|
3
4
|
|
4
5
|
Rake::TestTask.new(:test) do |t|
|
5
6
|
t.libs << "test"
|
@@ -12,7 +13,7 @@ namespace :gem do
|
|
12
13
|
task :build do
|
13
14
|
Dir["spior*.gem"].each {|f| File.unlink(f) }
|
14
15
|
system("gem build spior.gemspec")
|
15
|
-
system("gem install spior
|
16
|
+
system("gem install spior-#{Spior::VERSION}.gem -P MediumSecurity")
|
16
17
|
end
|
17
18
|
end
|
18
19
|
|
data/bin/spior
CHANGED
data/lib/spior.rb
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
require_relative 'spior/clear'
|
2
|
+
require_relative 'spior/copy'
|
3
|
+
require_relative 'spior/install'
|
4
|
+
require_relative 'spior/iptables'
|
5
|
+
require_relative 'spior/msg'
|
6
|
+
require_relative 'spior/options'
|
7
|
+
require_relative 'spior/status'
|
8
|
+
require_relative 'spior/tor'
|
9
|
+
require_relative 'spior/persist'
|
10
|
+
require_relative 'spior/network'
|
11
|
+
require_relative 'spior/menu'
|
12
|
+
require_relative 'spior/helpers'
|
13
|
+
|
14
|
+
module Spior
|
15
|
+
class Main
|
16
|
+
def initialize(argv)
|
17
|
+
@argv = argv
|
18
|
+
run
|
19
|
+
end
|
20
|
+
|
21
|
+
private
|
22
|
+
|
23
|
+
def run
|
24
|
+
options = Options.new(@argv)
|
25
|
+
|
26
|
+
if options.install
|
27
|
+
Msg.head
|
28
|
+
Install::check_deps
|
29
|
+
Copy.new.save
|
30
|
+
end
|
31
|
+
|
32
|
+
if options.tor
|
33
|
+
Msg.head
|
34
|
+
Iptables::Tor.new.run!
|
35
|
+
end
|
36
|
+
|
37
|
+
if options.persist
|
38
|
+
Persist.enable
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
data/lib/spior/clear.rb
CHANGED
@@ -1,8 +1,5 @@
|
|
1
1
|
require 'tty-which'
|
2
2
|
require 'nomansland'
|
3
|
-
require_relative 'copy'
|
4
|
-
require_relative 'msg'
|
5
|
-
require_relative 'helpers'
|
6
3
|
|
7
4
|
module Spior
|
8
5
|
module Clear
|
@@ -10,32 +7,30 @@ module Spior
|
|
10
7
|
|
11
8
|
def all
|
12
9
|
iptables
|
13
|
-
|
10
|
+
Spior::Copy.new.restore
|
14
11
|
end
|
15
12
|
|
16
13
|
private
|
17
14
|
|
18
15
|
def iptables
|
19
16
|
puts "Clearing rules.."
|
20
|
-
Spior::Iptables::
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
17
|
+
ipt = Spior::Iptables::Default.new
|
18
|
+
ipt.stop!
|
19
|
+
#if File.exist?("/var/lib/iptables/rules-save")
|
20
|
+
# ipt_restore "/var/lib/iptables/rules-save"
|
21
|
+
#elsif File.exist?("/etc/iptables/rules.save")
|
22
|
+
# ipt_restore "/etc/iptables/iptables.rules"
|
23
|
+
#elsif File.exist?("/etc/iptables.rules")
|
24
|
+
# ipt_restore "/etc/iptables.rules"
|
25
|
+
#else
|
26
|
+
#Msg.p "Couldn't find any previous rules for iptables, create basic rules..."
|
27
|
+
ipt.run!
|
28
|
+
#end
|
30
29
|
end
|
31
30
|
|
32
31
|
def ipt_restore(path)
|
33
32
|
puts "Restoring rules #{path}..."
|
34
33
|
Helpers::Exec.new("iptables-restore").run("#{path}")
|
35
34
|
end
|
36
|
-
|
37
|
-
def rez_configs
|
38
|
-
Spior::Copy::restore_files
|
39
|
-
end
|
40
35
|
end
|
41
36
|
end
|
data/lib/spior/copy.rb
CHANGED
@@ -1,120 +1,85 @@
|
|
1
|
-
require 'nomansland'
|
2
|
-
require 'date'
|
3
1
|
require 'digest'
|
4
|
-
require_relative 'msg'
|
5
|
-
require_relative 'helpers'
|
6
2
|
|
7
3
|
module Spior
|
8
4
|
class Copy
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
def backup(file, re = nil)
|
18
|
-
return if regex_match?(file, re)
|
19
|
-
@cp = Helpers::Exec.new("cp -a")
|
20
|
-
backup = file + "_backup"
|
21
|
-
if File.exist? backup
|
22
|
-
puts "File #{backup} exist with content:"
|
23
|
-
system("head -n 10 #{backup}")
|
24
|
-
print "...\nOverwrite this copy? (N/y) "
|
25
|
-
case gets.chomp
|
26
|
-
when /^y|^Y/
|
27
|
-
@cp.run("#{file} #{backup}")
|
28
|
-
Msg.p "Overwrite #{file}"
|
29
|
-
end
|
30
|
-
else
|
31
|
-
@cp.run("#{file} #{backup}")
|
32
|
-
Msg.p "#{file} saved"
|
33
|
-
end
|
34
|
-
end
|
5
|
+
def initialize
|
6
|
+
@cp = Helpers::Exec.new("cp -a")
|
7
|
+
@files = []
|
8
|
+
search_conf_dir
|
9
|
+
config_files
|
10
|
+
list
|
11
|
+
end
|
35
12
|
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
if
|
40
|
-
|
13
|
+
def save
|
14
|
+
@files.each { |f|
|
15
|
+
backup = "#{f}_backup"
|
16
|
+
if ! File.exist? backup
|
17
|
+
Msg.p "#{f} saved"
|
18
|
+
@cp.run("#{f} #{backup}")
|
41
19
|
end
|
42
|
-
|
20
|
+
}
|
21
|
+
end
|
43
22
|
|
44
|
-
|
45
|
-
|
46
|
-
backup =
|
23
|
+
def restore
|
24
|
+
@files.each { |f|
|
25
|
+
backup = "#{f}_backup"
|
47
26
|
if File.exist? backup
|
48
|
-
|
27
|
+
Msg.p "#{f} restored"
|
28
|
+
@cp.run("#{backup} #{f}")
|
49
29
|
end
|
50
|
-
|
30
|
+
}
|
31
|
+
end
|
51
32
|
|
52
|
-
|
53
|
-
restore("/etc/tor/torrc")
|
54
|
-
restore("/etc/resolv.conf")
|
55
|
-
end
|
33
|
+
private
|
56
34
|
|
57
|
-
|
35
|
+
def config_files
|
36
|
+
copy_file("#{@conf_dir}/ipt_mod.conf", "/etc/modules-load.d/ipt_mod.conf")
|
37
|
+
end
|
58
38
|
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
else
|
68
|
-
add_file target
|
69
|
-
end
|
70
|
-
end
|
39
|
+
def list
|
40
|
+
add "/etc/resolv.conf"
|
41
|
+
add "/etc/tor/torrc"
|
42
|
+
add "/etc/systemd/resolved.conf"
|
43
|
+
add "/var/lib/iptables/rules-save" # gentoo
|
44
|
+
add "/etc/iptables/iptables.rules" # arch
|
45
|
+
add "/etc/iptables/rules.v4" # debian
|
46
|
+
end
|
71
47
|
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
check_hash(backup, target)
|
76
|
-
end
|
48
|
+
def add(file)
|
49
|
+
@files << file if File.exist? file
|
50
|
+
end
|
77
51
|
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
52
|
+
def search_conf_dir
|
53
|
+
# ebuild on gentoo copy the ext dir at lib/ext
|
54
|
+
@conf_dir = File.expand_path('../..' + '/lib/ext', __dir__)
|
55
|
+
if ! Dir.exist?(@conf_dir)
|
56
|
+
@conf_dir = File.expand_path('../..' + '/ext', __dir__)
|
83
57
|
end
|
58
|
+
end
|
84
59
|
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
end
|
60
|
+
def previous_copy(target)
|
61
|
+
backup=`ls #{target}.backup-* | head -1`.chomp
|
62
|
+
return false if ! File.exist? backup
|
63
|
+
check_hash(backup, target)
|
64
|
+
end
|
91
65
|
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
66
|
+
def add_file(target)
|
67
|
+
@cp.run("#{@config_file} #{target}")
|
68
|
+
Msg.p "File #{@config_file} has been successfully copied at #{target}"
|
69
|
+
end
|
96
70
|
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
end
|
104
|
-
else
|
105
|
-
puts "No found previous backup for #{target}"
|
106
|
-
end
|
107
|
-
end
|
71
|
+
def copy_file(conf, target)
|
72
|
+
@config_file = conf
|
73
|
+
add_file target if ! File.exist? target
|
74
|
+
return if check_hash(@config_file, target)
|
75
|
+
add_file target
|
76
|
+
end
|
108
77
|
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
end
|
115
|
-
end
|
116
|
-
false
|
117
|
-
end
|
78
|
+
def check_hash(src, target)
|
79
|
+
return if not File.exist?(target)
|
80
|
+
sha256conf = Digest::SHA256.file src
|
81
|
+
sha256target = Digest::SHA256.file target
|
82
|
+
sha256conf === sha256target
|
118
83
|
end
|
119
84
|
end
|
120
85
|
end
|
data/lib/spior/helpers.rb
CHANGED
@@ -1,5 +1,6 @@
|
|
1
1
|
require 'fileutils'
|
2
2
|
require 'tempfile'
|
3
|
+
require 'open3'
|
3
4
|
|
4
5
|
module Helpers
|
5
6
|
class Exec
|
@@ -9,12 +10,16 @@ module Helpers
|
|
9
10
|
end
|
10
11
|
|
11
12
|
def run(args)
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
13
|
+
cmd = @search_uid == '0' ? @name : "sudo #{@name}"
|
14
|
+
Open3.popen2e("#{cmd} #{args}") do |stdin, stdout_err, wait_thr|
|
15
|
+
while line = stdout_err.gets
|
16
|
+
puts line
|
17
|
+
end
|
18
|
+
|
19
|
+
exit_status = wait_thr.value
|
20
|
+
unless exit_status.success?
|
21
|
+
raise "Error, Running #{cmd} #{args}"
|
22
|
+
end
|
18
23
|
end
|
19
24
|
end
|
20
25
|
end
|
@@ -47,6 +52,7 @@ module Helpers
|
|
47
52
|
File.open(tmp.path, 'w') do |file|
|
48
53
|
file.puts @string
|
49
54
|
end
|
55
|
+
puts "move #{tmp.path} to #{@dest}"
|
50
56
|
@mv.run("#{tmp.path} #{@dest}")
|
51
57
|
end
|
52
58
|
|
@@ -79,7 +85,7 @@ module Helpers
|
|
79
85
|
# === Parameters:
|
80
86
|
# * _string_ = the string of for whole content file
|
81
87
|
# * _name_ = the name of the service (e.g: tor.service)
|
82
|
-
def
|
88
|
+
def initialize(string, name)
|
83
89
|
super
|
84
90
|
@systemd_dir = search_systemd_dir
|
85
91
|
@dest = @systemd_dir + "/" + @name
|
data/lib/spior/install.rb
CHANGED
data/lib/spior/iptables.rb
CHANGED
@@ -1,186 +1,8 @@
|
|
1
|
-
require 'interfacez'
|
2
|
-
require_relative 'tor'
|
3
|
-
require_relative 'msg'
|
4
|
-
require_relative 'helpers'
|
5
|
-
|
6
1
|
module Spior
|
7
|
-
|
8
|
-
|
9
|
-
def self.tor(interface = false)
|
10
|
-
initialize(interface)
|
11
|
-
flush_rules
|
12
|
-
bogus_tcp_flags
|
13
|
-
bad_packets
|
14
|
-
spoofing
|
15
|
-
icmp
|
16
|
-
dns
|
17
|
-
nat
|
18
|
-
input
|
19
|
-
forward
|
20
|
-
output
|
21
|
-
drop_all
|
22
|
-
end
|
23
|
-
|
24
|
-
def self.flush_rules
|
25
|
-
@i = Helpers::Exec.new("iptables")
|
26
|
-
ipt "-F"
|
27
|
-
ipt "-X"
|
28
|
-
ipt "-t nat -F"
|
29
|
-
ipt "-t nat -X"
|
30
|
-
ipt "-t mangle -F"
|
31
|
-
ipt "-t mangle -X"
|
32
|
-
end
|
33
|
-
|
34
|
-
private
|
35
|
-
|
36
|
-
def self.initialize(interface)
|
37
|
-
@lo = Interfacez.loopback
|
38
|
-
@lo_addr = Interfacez.ipv4_address_of(@lo)
|
39
|
-
@tor = Spior::Tor.new
|
40
|
-
@non_tor = ["#{@lo_addr}/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
41
|
-
@incoming = interface
|
42
|
-
@incoming_addr = Interfacez.ipv4_address_of(@incoming)
|
43
|
-
end
|
44
|
-
|
45
|
-
def self.check_dep
|
46
|
-
Spior::Copy::config_files
|
47
|
-
end
|
48
|
-
|
49
|
-
def self.ipt(line)
|
50
|
-
@i.run("#{line}")
|
51
|
-
#puts "added - #{@i} #{line}"
|
52
|
-
end
|
53
|
-
|
54
|
-
def self.drop_all
|
55
|
-
ipt "-P INPUT DROP"
|
56
|
-
ipt "-P FORWARD DROP"
|
57
|
-
ipt "-P OUTPUT DROP"
|
58
|
-
end
|
59
|
-
|
60
|
-
def self.bogus_tcp_flags
|
61
|
-
puts "bogus"
|
62
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
|
63
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
|
64
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
|
65
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
|
66
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
|
67
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
|
68
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
|
69
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
|
70
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
|
71
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
|
72
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
|
73
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
|
74
|
-
ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
|
75
|
-
end
|
76
|
-
|
77
|
-
def self.bad_packets
|
78
|
-
puts "bad_packets"
|
79
|
-
# new packet not syn
|
80
|
-
ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
|
81
|
-
# fragment packet
|
82
|
-
ipt "-A INPUT -f -j DROP"
|
83
|
-
# XMAS
|
84
|
-
ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
|
85
|
-
# null packet
|
86
|
-
ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
|
87
|
-
end
|
88
|
-
|
89
|
-
def self.spoofing
|
90
|
-
subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
|
91
|
-
subs.each do |sub|
|
92
|
-
ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
|
93
|
-
end
|
94
|
-
ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
|
95
|
-
end
|
96
|
-
|
97
|
-
def self.icmp
|
98
|
-
puts "icmp"
|
99
|
-
ipt "-N port-scanning"
|
100
|
-
ipt "-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN"
|
101
|
-
ipt "-A port-scanning -j DROP"
|
102
|
-
|
103
|
-
ipt "-N syn_flood"
|
104
|
-
ipt "-A INPUT -p tcp --syn -j syn_flood"
|
105
|
-
ipt "-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN"
|
106
|
-
ipt "-A syn_flood -j DROP"
|
107
|
-
|
108
|
-
ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT"
|
109
|
-
ipt "-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:"
|
110
|
-
ipt "-A INPUT -p icmp -j DROP"
|
111
|
-
ipt "-A OUTPUT -p icmp -j ACCEPT"
|
112
|
-
end
|
113
|
-
|
114
|
-
def self.dns
|
115
|
-
puts "dns"
|
116
|
-
ipt "-t nat -A PREROUTING ! -i #{@lo} -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
117
|
-
ipt "-t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
118
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports #{@tor.dns}"
|
119
|
-
end
|
120
|
-
|
121
|
-
def self.nat
|
122
|
-
puts "nat"
|
123
|
-
# nat .onion addresses
|
124
|
-
ipt "-t nat -A OUTPUT -d #{@tor.virt_addr} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
125
|
-
|
126
|
-
# Don't nat the Tor process, the loopback, or the local network
|
127
|
-
ipt "-t nat -A OUTPUT -m owner --uid-owner #{@tor.uid} -j RETURN"
|
128
|
-
ipt "-t nat -A OUTPUT -o #{@lo} -j RETURN"
|
129
|
-
|
130
|
-
# Allow lan access for hosts in $non_tor
|
131
|
-
@non_tor.each do |lan|
|
132
|
-
ipt "-t nat -A OUTPUT -d #{lan} -j RETURN"
|
133
|
-
end
|
134
|
-
|
135
|
-
# Redirects all other pre-routing and output to Tor's TransPort
|
136
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
137
|
-
|
138
|
-
# Redirects all other pre-routing and output to Tor's TransPort
|
139
|
-
ipt "-t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports #{@tor.trans_port}"
|
140
|
-
end
|
141
|
-
|
142
|
-
def self.input
|
143
|
-
puts "input"
|
144
|
-
ipt "-A INPUT -i #{@incoming} -p tcp -s #{@incoming_addr} --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
145
|
-
|
146
|
-
# Allow loopback, rules
|
147
|
-
ipt "-A INPUT -m state --state ESTABLISHED -j ACCEPT"
|
148
|
-
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
149
|
-
|
150
|
-
# Allow DNS lookups from connected clients and internet access through tor.
|
151
|
-
ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p udp -m udp --dport #{@tor.dns} -j ACCEPT"
|
152
|
-
ipt "-A INPUT -d #{@incoming_addr} -i #{@incoming} -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
|
153
|
-
|
154
|
-
# Default
|
155
|
-
ipt "-A INPUT -j DROP"
|
156
|
-
end
|
157
|
-
|
158
|
-
def self.output
|
159
|
-
puts "output"
|
160
|
-
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
|
161
|
-
ipt "-A OUTPUT -m conntrack --ctstate INVALID -j DROP"
|
162
|
-
ipt "-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
|
163
|
-
|
164
|
-
# output
|
165
|
-
ipt "-A OUTPUT -m owner --uid-owner #{@tor.uid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT"
|
166
|
-
|
167
|
-
# Accept, allow loopback output
|
168
|
-
ipt "-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT"
|
169
|
-
ipt "-A OUTPUT -d #{@lo_addr}/32 -o #{@lo} -j ACCEPT"
|
170
|
-
|
171
|
-
# tor transparent magic
|
172
|
-
ipt "-A OUTPUT -d #{@lo_addr}/32 -p tcp -m tcp --dport #{@tor.trans_port} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
|
173
|
-
|
174
|
-
ipt "-A OUTPUT -j DROP"
|
175
|
-
end
|
176
|
-
|
177
|
-
def self.forward
|
178
|
-
puts "forward"
|
179
|
-
ipt "-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix \"DROP INVALID \" --log-ip-options --log-tcp-options"
|
180
|
-
ipt "-A FORWARD -m conntrack --ctstate INVALID -j DROP"
|
181
|
-
ipt "-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
|
182
|
-
ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j LOG --log-prefix \"SPOOFED PKT \""
|
183
|
-
ipt "-A FORWARD -i #{@incoming} ! -s #{@incoming_addr} -j DROP"
|
184
|
-
end
|
2
|
+
module Iptables
|
185
3
|
end
|
186
4
|
end
|
5
|
+
|
6
|
+
require_relative 'iptables/root'
|
7
|
+
require_relative 'iptables/tor'
|
8
|
+
require_relative 'iptables/default'
|