Module: Reyes::IPTables
- Defined in:
- lib/reyes/iptables.rb
Overview
A collection of functionality related to generating IPTables rule sets.
Defined Under Namespace
Classes: Rule
Class Method Summary collapse
-
.generate_rules(protocol, dport_range, remote_addrs, remote_sets, input_chain, accept_chain) {|Array<String>| ... } ⇒ Object
Generate IPTables rule arguments based on a specification and yield a series of arguments appropriate for passing to IPTables.
-
.generate_rules_from_hash(hash, input_chain, accept_chain) ⇒ Object
Generate IPTables rules from a hash.
- .innocuous_icmp_rules(chain) ⇒ Object
- .log_rule_string(chain, message, limit = '3/min', limit_burst = 10) ⇒ Object
Class Method Details
.generate_rules(protocol, dport_range, remote_addrs, remote_sets, input_chain, accept_chain) {|Array<String>| ... } ⇒ Object
Generate IPTables rule arguments based on a specification and yield a series of arguments appropriate for passing to IPTables.
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
# File 'lib/reyes/iptables.rb', line 17 def self.generate_rules(protocol, dport_range, remote_addrs, remote_sets, input_chain, accept_chain) unless ['tcp', 'udp'].include?(protocol.to_s) raise ArgumentError.new("Unsupported protocol #{protocol.inspect}") end unless block_given? return enum_for(__method__, protocol, dport_range, remote_addrs, remote_sets, input_chain, accept_chain) end cmd = ['-A', input_chain, '-p', protocol.to_s] # dport_range may be a Range or two element Array case dport_range when Range # OK when Array if dport_range.length != 2 raise ArgumentError.new("bad dport_range: #{dport_range.inspect}") end else raise ArgumentError.new("invalid dport_range: #{dport_range.inspect}") end if dport_range.first == dport_range.last # single port match cmd += ['-m', protocol.to_s, '--dport', dport_range.first.to_s] else # port range match cmd += ['-m', 'multiport', '--dports', "#{dport_range.first}:#{dport_range.last}"] end jump_args = ['-j', accept_chain] remote_addrs.each do |addr| yield cmd + ['-s', addr] + jump_args end remote_sets.each do |set| yield cmd + ['-m', 'set', '--match-set', set, 'src'] + jump_args end nil end |
.generate_rules_from_hash(hash, input_chain, accept_chain) ⇒ Object
Generate IPTables rules from a hash. This is a thin wrapper around generate_rules.
72 73 74 75 76 |
# File 'lib/reyes/iptables.rb', line 72 def self.generate_rules_from_hash(hash, input_chain, accept_chain) generate_rules(hash.fetch(:protocol), hash.fetch(:port), hash.fetch(:remote_addrs), hash.fetch(:remote_sets), input_chain, accept_chain) end |
.innocuous_icmp_rules(chain) ⇒ Object
96 97 98 99 100 |
# File 'lib/reyes/iptables.rb', line 96 def self.innocuous_icmp_rules(chain) [3, 4, 11, 12, 8].map do |type| %W{-A #{chain} -p icmp -m icmp --icmp-type #{type} -j ACCEPT} end end |
.log_rule_string(chain, message, limit = '3/min', limit_burst = 10) ⇒ Object
91 92 93 94 |
# File 'lib/reyes/iptables.rb', line 91 def self.log_rule_string(chain, , limit='3/min', limit_burst=10) "-A #{chain} -m limit --limit #{limit} --limit-burst #{limit_burst}" \ " -j LOG --log-prefix \"[#{}] \"" end |