class Spior::Iptables::Root

Public Class Methods

new() click to toggle source
# File lib/spior/iptables/root.rb, line 6
def initialize
  @lo      = Interfacez.loopback
  @lo_addr = Interfacez.ipv4_address_of(@lo)
  @i = Helpers::Exec.new("iptables")
  Spior::Copy.new.save
end

Public Instance Methods

restart!() click to toggle source
# File lib/spior/iptables/root.rb, line 23
def restart!
  stop!
  run!
end
run!() click to toggle source
# File lib/spior/iptables/root.rb, line 13
def run!
  bogus_tcp_flags
  bad_packets
  spoofing
  redirect
  input
  output
  all
end
stop!() click to toggle source
# File lib/spior/iptables/root.rb, line 28
def stop!
  ipt "-F"
  ipt "-X"
  ipt "-t nat -F"
  ipt "-t nat -X"
  ipt "-t mangle -F"
  ipt "-t mangle -X"
end

Private Instance Methods

all() click to toggle source
# File lib/spior/iptables/root.rb, line 53
def all
end
bad_packets() click to toggle source
# File lib/spior/iptables/root.rb, line 72
def bad_packets
  # new packet not syn
  ipt "-t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP"
  # fragment  packet
  ipt "-A INPUT -f -j DROP"
  # XMAS
  ipt "-A INPUT -p tcp --tcp-flags ALL ALL -j DROP"
  # null packet
  ipt "-A INPUT -p tcp --tcp-flags ALL NONE -j DROP"
end
bogus_tcp_flags() click to toggle source
# File lib/spior/iptables/root.rb, line 56
def bogus_tcp_flags
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP"
  ipt "-t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP"
end
input() click to toggle source
# File lib/spior/iptables/root.rb, line 47
def input
end
ipt(line) click to toggle source
# File lib/spior/iptables/root.rb, line 39
def ipt(line)
  @i.run("#{line}")
  puts "added - #{@i} #{line}"
end
output() click to toggle source
# File lib/spior/iptables/root.rb, line 50
def output
end
redirect() click to toggle source
# File lib/spior/iptables/root.rb, line 44
def redirect
end
spoofing() click to toggle source
# File lib/spior/iptables/root.rb, line 83
def spoofing
  subs=["224.0.0.0/3", "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "0.0.0.0/8", "240.0.0.0/5"]
  subs.each do |sub|
    ipt "-t mangle -A PREROUTING -s #{sub} -j DROP"
  end
  ipt "-t mangle -A PREROUTING -s #{@lo_addr}/8 ! -i #{@lo} -j DROP"
end