Module: IptablesGenerator

Defined in:

lib/iptables_generator.rb

Class Method Summary

• .allow_established ⇒ Object
• .allow_ip(ip) ⇒ Object
• .allow_ips(ips) ⇒ Object
• .allow_listen(ports, prot = 'tcp', nic = 'all') ⇒ Object

  Rule to open a given port(s).

• .allow_ping ⇒ Object
• .allow_ssh ⇒ Object
• .deny_all ⇒ Object

Class Method Details

.allow_established ⇒ Object

# File 'lib/iptables_generator.rb', line 15

def allow_established
  "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
end

.allow_ip(ip) ⇒ Object

# File 'lib/iptables_generator.rb', line 27

def allow_ip(ip)
  "-A INPUT -s #{ip} -j ACCEPT\n"
end

.allow_ips(ips) ⇒ Object

# File 'lib/iptables_generator.rb', line 31

def allow_ips(ips)
  ips.map{ |ip| allow_ip(ip) }.join ''
end

.allow_listen(ports, prot = 'tcp', nic = 'all') ⇒ Object

Rule to open a given port(s)

# File 'lib/iptables_generator.rb', line 36

def allow_listen(ports, prot = 'tcp', nic = 'all')
  if ports.empty?
    return ''
  end

  # -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
  result = "-A INPUT"

  # Did we want a specific nics?
  #TODO: Convert this to an options hash
  if (nic != 'all' )
    result << " -i #{nic}"
  end

  result << " -p #{prot} -m multiport --dport #{ports.join(",")} -j ACCEPT\n"
  result
end

.allow_ping ⇒ Object

# File 'lib/iptables_generator.rb', line 19

def allow_ping
  "-A INPUT -p icmp --icmp-type any -j ACCEPT\n"
end

.allow_ssh ⇒ Object

# File 'lib/iptables_generator.rb', line 23

def allow_ssh
  "-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\n"
end

.deny_all ⇒ Object

# File 'lib/iptables_generator.rb', line 4

def deny_all
# Default to dropping unmatched input, Default to dropping unmatched forward requests, Allow all outgoing requests, Allow everything on loopback
<<EOS_DENY_ALL
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
EOS_DENY_ALL
end