Skip to content
Browse files

initial commit

  • Loading branch information...
0 parents commit ea02590b2a438d8893098be63b58d9e6e6b06b2d @phlipper committed May 2, 2012
Showing with 180 additions and 0 deletions.
  1. +18 −0 .gitignore
  2. +20 −0 LICENSE.txt
  3. +44 −0 README.md
  4. +98 −0 rebuild-iptables.rb
18 .gitignore
@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+coverage
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/
20 LICENSE.txt
@@ -0,0 +1,20 @@
+The MIT License (MIT)
+Copyright © 2011-2012 Phil Cohen <github@phlippers.net>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the “Software”), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
44 README.md
@@ -0,0 +1,44 @@
+# rebuild-iptables
+
+## Description
+
+Construct an iptables rules file from fragments.
+
+Constructs an iptables rules file from the prefix, standard, and suffix files in the iptables configuration area, adding any additional modules specified in the command line, and prints the resulting iptables rules to standard output (suitable for saving into /var/lib/iptables or some other appropriate location on the system).
+
+
+## Requirements
+
+### Supported Platforms
+
+The following platforms are supported by this cookbook, meaning that the recipes run on these platforms without error:
+
+* Ubuntu
+* Debian
+* CentOS
+* Red Hat
+* Fedora
+
+
+
+## Usage
+
+Write `iptables` rule fragments and place them in `/etc/iptables.d`. Running this script will assemble them in order and reset the firewall rules.
+
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+
+## License
+
+**rebuild-iptables**
+
+* Freely distributable and licensed under the [MIT license](http://phlipper.mit-license.org/2011-2012/license.html).
+* Copyright (c) 2011-2012 Phil Cohen (github@phlippers.net) [![endorse](http://api.coderwall.com/phlipper/endorsecount.png)](http://coderwall.com/phlipper)
+* http://phlippers.net/
98 rebuild-iptables.rb
@@ -0,0 +1,98 @@
+#!/usr/bin/ruby -w
+
+#
+# rebuild-iptables.rb -- Construct an iptables rules file from fragments.
+#
+# Written by Phil Cohen <github@phlippers.net>
+# Copyright 2011, Phil Cohen
+#
+# Constructs an iptables rules file from the prefix, standard, and suffix
+# files in the iptables configuration area, adding any additional modules
+# specified in the command line, and prints the resulting iptables rules to
+# standard output (suitable for saving into /var/lib/iptables or some other
+# appropriate location on the system).
+
+##############################################################################
+# Modules and declarations
+##############################################################################
+
+# Path to the iptables template area.
+TEMPLATE_PATH = "/etc/iptables.d"
+
+##############################################################################
+# Installation
+##############################################################################
+
+# Return the prefix
+def prefix
+ File.read(File.join(TEMPLATE_PATH, "prefix")) rescue "*filter"
+end
+
+# Return the suffix
+def suffix
+ File.read(File.join(TEMPLATE_PATH, "suffix")) rescue "COMMIT"
+end
+
+def snat
+ File.read("/etc/iptables.snat") rescue ""
+end
+
+# Read in a file, processing includes as required.
+def read_iptables(file)
+ data = []
+ file = File.join(TEMPLATE_PATH, file) unless File.dirname(file) =~ /iptables\.d/
+ rule = File.readlines(file).map{ |line| line.chomp }
+ rule.each do |line|
+ if line =~ /^\s*include\s+(\S+)$/
+ data << read_iptables($1)
+ else
+ data << line
+ end
+ end
+ data.join("\n")
+end
+
+# Write a file carefully.
+def write_iptables(file, data)
+ File.open("#{file}.new", "w") { |f| f.write(data) }
+ File.rename("#{file}.new", file)
+end
+
+# Install iptables on a Red Hat system. Takes the new iptables data.
+def install_redhat(data)
+ write_iptables("/etc/sysconfig/iptables", data)
+ system("/sbin/service", "iptables", "restart")
+end
+
+# Install iptables on a Debian system. Takes the new iptables data.
+def install_debian(data)
+ Dir.mkdir("/etc/iptables") unless File.directory?("/etc/iptables")
+ write_iptables("/etc/iptables/general", data)
+ system("/sbin/iptables-restore < /etc/iptables/general")
+end
+
+##############################################################################
+# Main routine
+##############################################################################
+
+data = []
+templates = Dir["#{TEMPLATE_PATH}/*"].sort.delete_if do |template|
+ %w[prefix suffix].include?(File.basename(template))
+end
+
+data << prefix
+templates.each { |template| data << read_iptables(template) }
+data << suffix
+data << snat
+
+data = data.join("\n")
+
+if File.exists?("/etc/debian_version")
+ install_debian(data)
+elsif File.exists?("/etc/redhat-release")
+ install_redhat(data)
+else
+ raise "#{$0}: cannot figure out whether this is Red Hat or Debian\n";
+end
+
+exit 0

0 comments on commit ea02590

Please sign in to comment.
Something went wrong with that request. Please try again.