spior 0.1.6 → 0.2.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +3 -3
- data/.github/workflows/rubocop-analysis.yml +47 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +14 -0
- data/Gemfile +5 -0
- data/README.md +13 -3
- data/Rakefile +20 -9
- data/lib/spior/dep.rb +45 -23
- data/lib/spior/helpers.rb +19 -19
- data/lib/spior/iptables/default.rb +19 -13
- data/lib/spior/iptables/root.rb +35 -36
- data/lib/spior/iptables/rules.rb +103 -0
- data/lib/spior/iptables/tor.rb +23 -20
- data/lib/spior/iptables.rb +3 -0
- data/lib/spior/menu.rb +16 -23
- data/lib/spior/msg.rb +22 -8
- data/lib/spior/options.rb +16 -19
- data/lib/spior/service/enable.rb +63 -0
- data/lib/spior/service/restart.rb +4 -12
- data/lib/spior/service/start.rb +5 -17
- data/lib/spior/service/stop.rb +12 -0
- data/lib/spior/service.rb +5 -0
- data/lib/spior/status.rb +32 -24
- data/lib/spior/tor/config.rb +100 -0
- data/lib/spior/tor/data.rb +53 -0
- data/lib/spior/tor/start.rb +59 -0
- data/lib/spior/tor/stop.rb +32 -0
- data/lib/spior/tor.rb +8 -1
- data/lib/spior/version.rb +3 -1
- data/lib/spior.rb +16 -23
- data/spior.gemspec +24 -21
- data/test/test_install.rb +2 -2
- data/test/test_options.rb +2 -0
- data.tar.gz.sig +0 -0
- metadata +57 -51
- metadata.gz.sig +0 -0
- data/lib/spior/clear.rb +0 -35
- data/lib/spior/copy.rb +0 -84
- data/lib/spior/persist.rb +0 -51
- data/lib/spior/tor/info.rb +0 -96
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 57323a089d6067de5bd331a14a2471bd5b5f266135d23fa08e54df4bd23dbb4f
|
4
|
+
data.tar.gz: 63b77a80284704c7798b954a3b121862d214c369fd1784e70470b9f34fa91783
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 81fee9fa3884a93d3465c5344156a8daa142c5e6274041f349a8cdddb5c6d51b0d0b2a71f2c16a670058510f398be22e4300038fde61848e2cc756b1a9cd4459
|
7
|
+
data.tar.gz: f1e26ab4d457c04071fe43543e4c83c6f0cfbc76eb06616e7f8ef8bdb6aea9defb1bd23e07a12ba571e8566a02b2048688e68f9ba1a7f82bb5e00d665efc66fb
|
checksums.yaml.gz.sig
CHANGED
@@ -1,3 +1,3 @@
|
|
1
|
-
Y
|
2
|
-
|
3
|
-
|
1
|
+
i���X�碙�ȾY����c�F�`�<�N�
|
2
|
+
1�V�-7�E�C/���q/8��ے>j��Rƪ�p���n��_ch98;W`16M]3_D���`�����OYt�"��W�,7�"�������
|
3
|
+
�<]�=�����!!kInS�M���mJ��.�R��:�] �c�q�I[wʕ#�^3G+U��4���
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# pulled from repo
|
2
|
+
name: "Rubocop"
|
3
|
+
|
4
|
+
on:
|
5
|
+
push:
|
6
|
+
branches: [ develop ]
|
7
|
+
pull_request:
|
8
|
+
# The branches below must be a subset of the branches above
|
9
|
+
branches: [ develop ]
|
10
|
+
schedule:
|
11
|
+
- cron: '42 4 * * 6'
|
12
|
+
|
13
|
+
jobs:
|
14
|
+
rubocop:
|
15
|
+
runs-on: ubuntu-latest
|
16
|
+
strategy:
|
17
|
+
fail-fast: false
|
18
|
+
|
19
|
+
steps:
|
20
|
+
- name: Checkout repository
|
21
|
+
uses: actions/checkout@v1
|
22
|
+
|
23
|
+
# If running on a self-hosted runner, check it meets the requirements
|
24
|
+
# listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
|
25
|
+
- name: Set up Ruby
|
26
|
+
uses: ruby/setup-ruby@v1
|
27
|
+
with:
|
28
|
+
ruby-version: 2.6
|
29
|
+
|
30
|
+
# This step is not necessary if you add the gem to your Gemfile
|
31
|
+
- name: Install Code Scanning integration
|
32
|
+
run: bundle add code-scanning-rubocop --skip-install
|
33
|
+
|
34
|
+
- name: Install dependencies
|
35
|
+
run: bundle install
|
36
|
+
|
37
|
+
- name: Rubocop run
|
38
|
+
run: |
|
39
|
+
bash -c "
|
40
|
+
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
|
41
|
+
[[ $? -ne 2 ]]
|
42
|
+
"
|
43
|
+
|
44
|
+
- name: Upload Sarif output
|
45
|
+
uses: github/codeql-action/upload-sarif@v2
|
46
|
+
with:
|
47
|
+
sarif_file: rubocop.sarif
|
data/.gitignore
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,17 @@
|
|
1
|
+
## 0.2.8, release 2022-09-16
|
2
|
+
* Spior used with `--clearnet` try to restore iptables rules found on your system, e.g: `/etc/iptables/iptables.rules` and `/etc/iptables/iptables.rules-backup` for Archlinux or use `Spior::Iptables::Default`.
|
3
|
+
* Stdout enhanced.
|
4
|
+
* Enhance `Spior::Dep` for install the dependencies.
|
5
|
+
* Make `Spior::Persist` work for Archlinux.
|
6
|
+
* Update `Spior::Menu`.
|
7
|
+
* Start documenting code.
|
8
|
+
* `spior --reload` make a new IP each time it called, `Spior::Service` was rewritten.
|
9
|
+
* Spior can be configured with `Spior::CONFIG` if used as library.
|
10
|
+
* Spior look options from the `/etc/tor/torrc` and use them if any.
|
11
|
+
* Add Rubocop style, fix ~300 code reports.
|
12
|
+
* Spior no longer backup/restore the file `/etc/tor/torrc`.
|
13
|
+
* Certificate update `certs/szorfein.pem`.
|
14
|
+
|
1
15
|
## 0.1.6, release 2021-12-30
|
2
16
|
* Make it work for Voidlinux.
|
3
17
|
* Add a man page.
|
data/Gemfile
ADDED
data/README.md
CHANGED
@@ -4,11 +4,14 @@
|
|
4
4
|
<br/>
|
5
5
|
|
6
6
|
[![Gem Version](https://badge.fury.io/rb/spior.svg)](https://badge.fury.io/rb/spior)
|
7
|
+
![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/spior/Rubocop/develop)
|
8
|
+
[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
|
7
9
|
![GitHub](https://img.shields.io/github/license/szorfein/spior)
|
8
10
|
|
9
11
|
</div>
|
10
12
|
|
11
|
-
|
13
|
+
|
14
|
+
(Spider|Tor) A tool to redirect all your local traffic to the [Tor](https://www.torproject.org/) network.
|
12
15
|
|
13
16
|
## Install
|
14
17
|
Spior is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.
|
@@ -19,10 +22,15 @@ And install the gem:
|
|
19
22
|
|
20
23
|
$ gem install spior -P MediumSecurity
|
21
24
|
|
22
|
-
Or user wide (Spior will use `sudo`)
|
25
|
+
Or user wide (Spior will use `sudo`, `doas` will be supported in next release)
|
23
26
|
|
24
27
|
$ gem install --user-install spior
|
25
28
|
|
29
|
+
## Requirements
|
30
|
+
Spior use `iptables` and `tor`, which can be installed with (if your distro is supported):
|
31
|
+
|
32
|
+
$ spior --install
|
33
|
+
|
26
34
|
## Usage
|
27
35
|
|
28
36
|
$ spior -h
|
@@ -51,4 +59,6 @@ For any questions, comments, feedback or issues, submit a [new issue](https://gi
|
|
51
59
|
|
52
60
|
### links
|
53
61
|
+ https://rubyreferences.github.io/rubyref
|
54
|
-
+ https://rubystyle.guide/
|
62
|
+
+ https://rubystyle.guide/
|
63
|
+
+ https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
|
64
|
+
+ https://github.com/epidemics-scepticism/writing/blob/master/misconception.md
|
data/Rakefile
CHANGED
@@ -1,20 +1,31 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# https://github.com/seattlerb/minitest#running-your-tests-
|
2
|
-
require
|
3
|
-
require
|
4
|
+
require 'rake/testtask'
|
5
|
+
require 'rdoc/task'
|
6
|
+
require File.dirname(__FILE__) + '/lib/spior/version'
|
7
|
+
|
8
|
+
# rake rdoc
|
9
|
+
Rake::RDocTask.new('rdoc') do |rdoc|
|
10
|
+
rdoc.title = 'spior'
|
11
|
+
rdoc.options << '--line-numbers'
|
12
|
+
rdoc.main = 'README.md'
|
13
|
+
rdoc.rdoc_files.include 'lib/**/*.rb', 'README.md'
|
14
|
+
end
|
4
15
|
|
5
16
|
Rake::TestTask.new(:test) do |t|
|
6
|
-
t.libs <<
|
7
|
-
t.libs <<
|
8
|
-
t.test_files = FileList[
|
17
|
+
t.libs << 'test'
|
18
|
+
t.libs << 'lib'
|
19
|
+
t.test_files = FileList['test/test_*.rb']
|
9
20
|
end
|
10
21
|
|
11
22
|
namespace :gem do
|
12
|
-
desc
|
23
|
+
desc 'build the gem'
|
13
24
|
task :build do
|
14
|
-
Dir[
|
15
|
-
system(
|
25
|
+
Dir['spior*.gem'].each { |f| File.unlink(f) }
|
26
|
+
system('gem build spior.gemspec')
|
16
27
|
system("gem install --user-install spior-#{Spior::VERSION}.gem -P MediumSecurity")
|
17
28
|
end
|
18
29
|
end
|
19
30
|
|
20
|
-
task :
|
31
|
+
task default: :test
|
data/lib/spior/dep.rb
CHANGED
@@ -1,37 +1,59 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'nomansland'
|
2
4
|
require 'tty-which'
|
3
5
|
|
4
6
|
module Spior
|
7
|
+
# Dep: install all dependencies for Spior
|
5
8
|
module Dep
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
9
|
+
extend self
|
10
|
+
|
11
|
+
def looking
|
12
|
+
case Nomansland.distro?
|
13
|
+
when :archlinux
|
14
|
+
Msg.p 'Looking dependencies for Archlinux...'
|
15
|
+
installing_deps(%w[iptables tor])
|
16
|
+
when :debian
|
17
|
+
Msg.p 'Looking dependencies for Debian...'
|
18
|
+
installing_deps(%w[iptables tor])
|
19
|
+
when :gentoo
|
20
|
+
Msg.p 'Looking dependencies for Gentoo...'
|
21
|
+
installing_deps(%w[iptables tor])
|
22
|
+
when :void
|
23
|
+
Msg.p 'Looking dependencies for Voidlinux...'
|
24
|
+
installing_deps(%w[iptables tor])
|
25
|
+
else
|
26
|
+
Msg.report 'Install for your distro is not yet supported.'
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
protected
|
31
|
+
|
32
|
+
def installing_deps(names)
|
33
|
+
names.map do |n|
|
34
|
+
install(n) unless search_dep(n)
|
35
|
+
end
|
36
|
+
Msg.p 'Dependencies are OK.'
|
17
37
|
end
|
18
38
|
|
19
|
-
def
|
20
|
-
|
39
|
+
def install(name)
|
40
|
+
Msg.p "Installing #{name}..."
|
41
|
+
case Nomansland.installer?
|
42
|
+
when :apt_get
|
43
|
+
Helpers::Exec.new('apt-get').run("install #{name}")
|
21
44
|
when :emerge
|
22
|
-
Helpers::Exec.new('emerge
|
45
|
+
Helpers::Exec.new('emerge').run("-av #{name}")
|
23
46
|
when :pacman
|
24
|
-
Helpers::Exec.new('pacman
|
25
|
-
when :yum
|
26
|
-
Helpers::Exec.new('yum install').run('tor iptables')
|
47
|
+
Helpers::Exec.new('pacman').run("-S #{name}")
|
27
48
|
when :void
|
28
|
-
Helpers::Exec.new('xbps-install
|
29
|
-
when :
|
30
|
-
Helpers::Exec.new('
|
31
|
-
else
|
32
|
-
Msg.report 'Your system is not yet supported.'
|
49
|
+
Helpers::Exec.new('xbps-install').run("-y #{name}")
|
50
|
+
when :yum
|
51
|
+
Helpers::Exec.new('yum').run("install #{name}")
|
33
52
|
end
|
34
|
-
|
53
|
+
end
|
54
|
+
|
55
|
+
def search_dep(name)
|
56
|
+
TTY::Which.exist?(name) ? true : false
|
35
57
|
end
|
36
58
|
end
|
37
59
|
end
|
data/lib/spior/helpers.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'fileutils'
|
2
4
|
require 'tempfile'
|
3
5
|
require 'open3'
|
@@ -10,8 +12,8 @@ module Helpers
|
|
10
12
|
end
|
11
13
|
|
12
14
|
def run(args)
|
13
|
-
cmd = @search_uid == '0' ? @name : "sudo #{@name}"
|
14
|
-
Open3.popen2e("#{cmd} #{args}") do |
|
15
|
+
cmd = (@search_uid == '0' ? @name : "sudo #{@name}")
|
16
|
+
Open3.popen2e("#{cmd} #{args}") do |_, stdout_err, wait_thr|
|
15
17
|
while line = stdout_err.gets
|
16
18
|
puts line
|
17
19
|
end
|
@@ -38,27 +40,25 @@ module Helpers
|
|
38
40
|
# * _string_ = string for the whole file
|
39
41
|
# * _name_ = name of the file (e.g: resolv.conf)
|
40
42
|
# * _dest_ = path (e.g: /etc)
|
41
|
-
def initialize(string, name, dest =
|
43
|
+
def initialize(string, name, dest = '/tmp')
|
42
44
|
@string = string
|
43
45
|
@name = name
|
44
|
-
@dest = dest
|
46
|
+
@dest = "#{dest}/#{@name}"
|
45
47
|
end
|
46
48
|
|
47
49
|
# Method #add
|
48
50
|
# Add the file at @dest
|
49
51
|
def add
|
50
|
-
@mv = Helpers::Exec.new(
|
52
|
+
@mv = Helpers::Exec.new('mv')
|
51
53
|
tmp = Tempfile.new(@name)
|
52
|
-
File.
|
53
|
-
file.puts @string
|
54
|
-
end
|
54
|
+
File.write tmp.path, "#{@string}\n"
|
55
55
|
puts "move #{tmp.path} to #{@dest}"
|
56
56
|
@mv.run("#{tmp.path} #{@dest}")
|
57
57
|
end
|
58
58
|
|
59
59
|
def perm(user, perm)
|
60
|
-
chown = Helpers::Exec.new(
|
61
|
-
chmod = Helpers::Exec.new(
|
60
|
+
chown = Helpers::Exec.new('chown')
|
61
|
+
chmod = Helpers::Exec.new('chmod')
|
62
62
|
chown.run("#{user}:#{user} #{@dest}")
|
63
63
|
chmod.run("#{perm} #{@dest}")
|
64
64
|
end
|
@@ -88,30 +88,30 @@ module Helpers
|
|
88
88
|
def initialize(string, name)
|
89
89
|
super
|
90
90
|
@systemd_dir = search_systemd_dir
|
91
|
-
@dest = @systemd_dir
|
91
|
+
@dest = "#{@systemd_dir}/#{@name}"
|
92
92
|
end
|
93
93
|
|
94
94
|
# Method #add
|
95
95
|
# Create a temporary file and move
|
96
96
|
# the service @name to the systemd directory
|
97
97
|
def add
|
98
|
-
@systemctl = Helpers::Exec.new(
|
98
|
+
@systemctl = Helpers::Exec.new('systemctl')
|
99
99
|
super
|
100
|
-
@systemctl.run(
|
100
|
+
@systemctl.run('daemon-reload')
|
101
101
|
end
|
102
102
|
|
103
103
|
private
|
104
|
+
|
104
105
|
# Method search_systemd_dir
|
105
106
|
# Search the current directory for systemd services
|
106
107
|
# + Gentoo can install at /lib/systemd/system or /usr/lib/systemd/system
|
107
108
|
def search_systemd_dir
|
108
|
-
if Dir.exist?
|
109
|
-
|
110
|
-
elsif Dir.exist?
|
111
|
-
|
109
|
+
if Dir.exist? '/lib/systemd/system'
|
110
|
+
'/lib/systemd/system'
|
111
|
+
elsif Dir.exist? '/usr/lib/systemd/system'
|
112
|
+
'/usr/lib/systemd/system'
|
112
113
|
else
|
113
|
-
raise
|
114
|
-
exit
|
114
|
+
raise 'No directory systemd found'
|
115
115
|
end
|
116
116
|
end
|
117
117
|
end
|
@@ -1,37 +1,43 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Spior
|
2
4
|
module Iptables
|
5
|
+
# Default and generic Iptables rules when Tor is not used.
|
6
|
+
#
|
7
|
+
# Allowed ports:
|
8
|
+
# * Input 22: for ssh connection
|
3
9
|
class Default < Iptables::Root
|
4
10
|
private
|
5
|
-
|
11
|
+
|
6
12
|
def input
|
7
13
|
# SSH
|
8
|
-
ipt
|
14
|
+
ipt '-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT'
|
9
15
|
# Allow loopback, rules
|
10
16
|
ipt "-A INPUT -i #{@lo} -j ACCEPT"
|
11
17
|
# Accept related
|
12
|
-
ipt
|
18
|
+
ipt '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
|
13
19
|
end
|
14
20
|
|
15
21
|
def output
|
16
|
-
ipt
|
17
|
-
ipt
|
22
|
+
ipt '-A OUTPUT -m conntrack --ctstate INVALID -j DROP'
|
23
|
+
ipt '-A OUTPUT -m state --state ESTABLISHED -j ACCEPT'
|
18
24
|
|
19
25
|
# Allow SSH
|
20
|
-
ipt
|
26
|
+
ipt '-A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT'
|
21
27
|
|
22
28
|
# Allow Loopback
|
23
29
|
ipt "-A OUTPUT -d #{@lo_addr}/8 -o #{@lo} -j ACCEPT"
|
24
30
|
|
25
31
|
# Default
|
26
|
-
ipt
|
32
|
+
ipt '-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT'
|
27
33
|
end
|
28
|
-
|
34
|
+
|
29
35
|
def all
|
30
|
-
ipt
|
31
|
-
ipt
|
32
|
-
ipt
|
33
|
-
ipt
|
34
|
-
ipt
|
36
|
+
ipt '-t filter -A OUTPUT -p udp -j ACCEPT'
|
37
|
+
ipt '-t filter -A OUTPUT -p icmp -j REJECT'
|
38
|
+
ipt '-P INPUT ACCEPT'
|
39
|
+
ipt '-P FORWARD ACCEPT'
|
40
|
+
ipt '-P OUTPUT ACCEPT'
|
35
41
|
end
|
36
42
|
end
|
37
43
|
end
|
data/lib/spior/iptables/root.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'interfacez'
|
2
4
|
|
3
5
|
module Spior
|
@@ -6,8 +8,8 @@ module Spior
|
|
6
8
|
def initialize
|
7
9
|
@lo = Interfacez.loopback
|
8
10
|
@lo_addr = Interfacez.ipv4_address_of(@lo)
|
9
|
-
@i = Helpers::Exec.new(
|
10
|
-
|
11
|
+
@i = Helpers::Exec.new('iptables')
|
12
|
+
@debug = false
|
11
13
|
end
|
12
14
|
|
13
15
|
def run!
|
@@ -22,63 +24,60 @@ module Spior
|
|
22
24
|
end
|
23
25
|
|
24
26
|
def stop!
|
25
|
-
|
26
|
-
ipt
|
27
|
-
ipt
|
28
|
-
ipt
|
29
|
-
ipt
|
30
|
-
ipt
|
27
|
+
Msg.p 'Clearing Iptables rules...'
|
28
|
+
ipt '-F'
|
29
|
+
ipt '-X'
|
30
|
+
ipt '-t nat -F'
|
31
|
+
ipt '-t nat -X'
|
32
|
+
ipt '-t mangle -F'
|
33
|
+
ipt '-t mangle -X'
|
31
34
|
end
|
32
35
|
|
33
36
|
private
|
34
37
|
|
35
38
|
def ipt(line)
|
36
39
|
@i.run("#{line}")
|
37
|
-
puts "
|
40
|
+
puts "Added - iptables #{line}" if @debug
|
38
41
|
end
|
39
42
|
|
40
|
-
def redirect
|
41
|
-
end
|
43
|
+
def redirect; end
|
42
44
|
|
43
|
-
def input
|
44
|
-
end
|
45
|
+
def input; end
|
45
46
|
|
46
|
-
def output
|
47
|
-
end
|
47
|
+
def output; end
|
48
48
|
|
49
|
-
def all
|
50
|
-
end
|
49
|
+
def all; end
|
51
50
|
|
52
51
|
def bogus_tcp_flags
|
53
|
-
ipt
|
54
|
-
ipt
|
55
|
-
ipt
|
56
|
-
ipt
|
57
|
-
ipt
|
58
|
-
ipt
|
59
|
-
ipt
|
60
|
-
ipt
|
61
|
-
ipt
|
62
|
-
ipt
|
63
|
-
ipt
|
64
|
-
ipt
|
65
|
-
ipt
|
52
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP'
|
53
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP'
|
54
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP'
|
55
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP'
|
56
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP'
|
57
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP'
|
58
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP'
|
59
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP'
|
60
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP'
|
61
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP'
|
62
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP'
|
63
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP'
|
64
|
+
ipt '-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP'
|
66
65
|
end
|
67
66
|
|
68
67
|
def bad_packets
|
69
68
|
# new packet not syn
|
70
|
-
ipt
|
69
|
+
ipt '-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP'
|
71
70
|
# fragment packet
|
72
|
-
ipt
|
71
|
+
ipt '-A INPUT -f -j DROP'
|
73
72
|
# XMAS
|
74
|
-
ipt
|
73
|
+
ipt '-A INPUT -p tcp --tcp-flags ALL ALL -j DROP'
|
75
74
|
# null packet
|
76
|
-
ipt
|
75
|
+
ipt '-A INPUT -p tcp --tcp-flags ALL NONE -j DROP'
|
77
76
|
end
|
78
77
|
|
79
78
|
def spoofing
|
80
|
-
subs=[
|
81
|
-
subs.
|
79
|
+
subs = %w[224.0.0.0/3 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 0.0.0.0/8 240.0.0.0/5]
|
80
|
+
subs.map do |sub|
|
82
81
|
ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
|
83
82
|
end
|
84
83
|
ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
|
@@ -0,0 +1,103 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'tempfile'
|
4
|
+
require 'fileutils'
|
5
|
+
require 'nomansland'
|
6
|
+
|
7
|
+
module Spior
|
8
|
+
module Iptables
|
9
|
+
class Rules
|
10
|
+
def initialize
|
11
|
+
@tmp_iptables_rules = Tempfile.new('iptables_rules')
|
12
|
+
@tmp_spior_rules = Tempfile.new('spior_rules')
|
13
|
+
@rules_path = search_iptables_config
|
14
|
+
end
|
15
|
+
|
16
|
+
def backup
|
17
|
+
save_rules(@tmp_iptables_rules)
|
18
|
+
insert_comment(@tmp_spior_rules, @tmp_iptables_rules)
|
19
|
+
create_file(@tmp_spior_rules, @rules_path)
|
20
|
+
end
|
21
|
+
|
22
|
+
def restore
|
23
|
+
unless restoring_older_rules(@rules_path)
|
24
|
+
Msg.p 'Adding clearnet navigation...'
|
25
|
+
Iptables::Default.new.run!
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
protected
|
30
|
+
|
31
|
+
def save_rules(tmp_file)
|
32
|
+
Msg.p 'Saving Iptables rules...'
|
33
|
+
Helpers::Exec.new('iptables-save').run("> #{tmp_file.path}")
|
34
|
+
end
|
35
|
+
|
36
|
+
def insert_comment(spior_file, iptable_file)
|
37
|
+
outfile = File.open(spior_file.path, 'w')
|
38
|
+
outfile.puts '# Rules saved by Spior.'
|
39
|
+
outfile.puts(File.read(iptable_file.path))
|
40
|
+
outfile.close
|
41
|
+
end
|
42
|
+
|
43
|
+
def search_for_comment(filename)
|
44
|
+
File.open(filename) do |f|
|
45
|
+
f.each do |line|
|
46
|
+
return true if line.match(/saved by Spior/)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
false
|
50
|
+
end
|
51
|
+
|
52
|
+
def move(src, dest)
|
53
|
+
if Process::Sys.getuid == '0'
|
54
|
+
FileUtils.mv(src, dest)
|
55
|
+
else
|
56
|
+
Helpers::Exec.new('mv').run("#{src} #{dest}")
|
57
|
+
end
|
58
|
+
end
|
59
|
+
|
60
|
+
def create_file(tmpfile, dest)
|
61
|
+
if File.exist? dest
|
62
|
+
if search_for_comment(dest)
|
63
|
+
Msg.p "Older Spior rules found #{dest}, erasing..."
|
64
|
+
else
|
65
|
+
Msg.p "File exist #{dest}, create backup #{dest}-backup..."
|
66
|
+
move(dest, "#{dest}-backup")
|
67
|
+
end
|
68
|
+
end
|
69
|
+
move(tmpfile.path, dest)
|
70
|
+
end
|
71
|
+
|
72
|
+
def restoring_older_rules(filename)
|
73
|
+
files = %W[#{filename} #{filename}-backup]
|
74
|
+
files.each do |f|
|
75
|
+
next unless File.exist? f
|
76
|
+
|
77
|
+
unless search_for_comment(f)
|
78
|
+
Iptables::Root.new.stop!
|
79
|
+
Msg.p "Found older rules #{f}, restoring..."
|
80
|
+
Helpers::Exec.new('iptables-restore').run(f)
|
81
|
+
return true
|
82
|
+
end
|
83
|
+
end
|
84
|
+
false
|
85
|
+
end
|
86
|
+
|
87
|
+
private
|
88
|
+
|
89
|
+
def search_iptables_config
|
90
|
+
case Nomansland.distro?
|
91
|
+
when :archlinux || :void
|
92
|
+
'/etc/iptables/iptables.rules'
|
93
|
+
when :debian
|
94
|
+
'/etc/iptables.up.rules'
|
95
|
+
when :gentoo
|
96
|
+
'/var/lib/iptables/rules-save'
|
97
|
+
else
|
98
|
+
Msg.report 'I don`t know where you distro save the rules for iptables yet'
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|
102
|
+
end
|
103
|
+
end
|