Module: Reyes::IPTables

Defined in:

lib/reyes/iptables.rb

Overview

A collection of functionality related to generating IPTables rule sets.

Defined Under Namespace

Classes: Rule

Class Method Summary

• .generate_rules(protocol, dport_range, remote_addrs, remote_sets, input_chain, accept_chain) {|Array<String>| ... } ⇒ Object

  Generate IPTables rule arguments based on a specification and yield a series of arguments appropriate for passing to IPTables.

• .generate_rules_from_hash(hash, input_chain, accept_chain) ⇒ Object

  Generate IPTables rules from a hash.

• .innocuous_icmp_rules(chain) ⇒ Object
• .log_rule_string(chain, message, limit = '3/min', limit_burst = 10) ⇒ Object

Class Method Details

.generate_rules(protocol, dport_range, remote_addrs, remote_sets, input_chain, accept_chain) {|Array<String>| ... } ⇒ Object

Generate IPTables rule arguments based on a specification and yield a series of arguments appropriate for passing to IPTables.

Parameters:

• protocol (Symbol)
• dport_range (Range, Array(Integer, Integer))
• remote_addrs (Array<String>)
• remote_sets (Array<String>)
• input_chain (String)
• accept_chain (String)

Yields:

• (Array<String>) —

  IPTables rules argument array

# File 'lib/reyes/iptables.rb', line 17

def self.generate_rules(protocol, dport_range, remote_addrs, remote_sets,
                        input_chain, accept_chain)

  unless ['tcp', 'udp'].include?(protocol.to_s)
    raise ArgumentError.new("Unsupported protocol #{protocol.inspect}")
  end

  unless block_given?
    return enum_for(__method__, protocol, dport_range, remote_addrs,
                    remote_sets, input_chain, accept_chain)
  end

  cmd = ['-A', input_chain, '-p', protocol.to_s]

  # dport_range may be a Range or two element Array
  case dport_range
  when Range
    # OK
  when Array
    if dport_range.length != 2
      raise ArgumentError.new("bad dport_range: #{dport_range.inspect}")
    end
  else
    raise ArgumentError.new("invalid dport_range: #{dport_range.inspect}")
  end

  if dport_range.first == dport_range.last
    # single port match
    cmd += ['-m', protocol.to_s, '--dport', dport_range.first.to_s]
  else
    # port range match
    cmd += ['-m', 'multiport', '--dports',
            "#{dport_range.first}:#{dport_range.last}"]
  end

  jump_args = ['-j', accept_chain]

  remote_addrs.each do |addr|
    yield cmd + ['-s', addr] + jump_args
  end

  remote_sets.each do |set|
    yield cmd + ['-m', 'set', '--match-set', set, 'src'] + jump_args
  end

  nil
end

.generate_rules_from_hash(hash, input_chain, accept_chain) ⇒ Object

Generate IPTables rules from a hash. This is a thin wrapper around generate_rules.

Parameters:

• hash (Hash)
• input_chain (String)
• accept_chain (String)

# File 'lib/reyes/iptables.rb', line 72

def self.generate_rules_from_hash(hash, input_chain, accept_chain)
  generate_rules(hash.fetch(:protocol), hash.fetch(:port),
                 hash.fetch(:remote_addrs), hash.fetch(:remote_sets),
                 input_chain, accept_chain)
end

.innocuous_icmp_rules(chain) ⇒ Object

# File 'lib/reyes/iptables.rb', line 96

def self.innocuous_icmp_rules(chain)
  [3, 4, 11, 12, 8].map do |type|
    %W{-A #{chain} -p icmp -m icmp --icmp-type #{type} -j ACCEPT}
  end
end

.log_rule_string(chain, message, limit = '3/min', limit_burst = 10) ⇒ Object

# File 'lib/reyes/iptables.rb', line 91

def self.log_rule_string(chain, message, limit='3/min', limit_burst=10)
  "-A #{chain} -m limit --limit #{limit} --limit-burst #{limit_burst}" \
    " -j LOG --log-prefix \"[#{message}] \""
end