diff --git a/Cargo.lock b/Cargo.lock index 6dd97c7..50e3461 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -343,6 +343,18 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "mio" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4569e456d394deccd22ce1c1913e6ea0e54519f577285001215d33557431afe4" +dependencies = [ + "hermit-abi 0.3.9", + "libc", + "wasi", + "windows-sys 0.52.0", +] + [[package]] name = "nix" version = "0.29.0" @@ -367,21 +379,11 @@ dependencies = [ "inotify", "kqueue", "libc", - "mio", + "mio 0.8.11", "walkdir", "windows-sys 0.45.0", ] -[[package]] -name = "num_cpus" -version = "1.16.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" -dependencies = [ - "hermit-abi 0.3.9", - "libc", -] - [[package]] name = "object" version = "0.36.1" @@ -420,7 +422,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.71", + "syn 2.0.72", ] [[package]] @@ -581,7 +583,7 @@ checksum = "e0cd7e117be63d3c3678776753929474f3b04a43a080c744d6b0ae2a8c28e222" dependencies = [ "proc-macro2", "quote", - "syn 2.0.71", + "syn 2.0.72", ] [[package]] @@ -656,9 +658,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.71" +version = "2.0.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b146dcf730474b4bcd16c311627b31ede9ab149045db4d6088b3becaea046462" +checksum = "dc4b9b9bf2add8093d3f2c0204471e951b2285580335de42f9d2534f3ae7a8af" dependencies = [ "proc-macro2", "quote", @@ -676,30 +678,29 @@ dependencies = [ [[package]] name = "tokio" -version = "1.38.1" +version = "1.39.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb2caba9f80616f438e09748d5acda951967e1ea58508ef53d9c6402485a46df" +checksum = "d040ac2b29ab03b09d4129c2f5bbd012a3ac2f79d38ff506a4bf8dd34b0eac8a" dependencies = [ "backtrace", "bytes", "libc", - "mio", - "num_cpus", + "mio 1.0.1", "pin-project-lite", "signal-hook-registry", "tokio-macros", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] name = "tokio-macros" -version = "2.3.0" +version = "2.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f5ae998a069d4b5aba8ee9dad856af7d520c3699e6159b185c2acd48155d39a" +checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752" dependencies = [ "proc-macro2", "quote", - "syn 2.0.71", + "syn 2.0.72", ] [[package]] diff --git a/src/iptables_save.rs b/src/iptables_save.rs index bf5fcff..b328e5c 100644 --- a/src/iptables_save.rs +++ b/src/iptables_save.rs @@ -1,7 +1,7 @@ use std::{path::Path, process::Command}; -pub fn save_iptables(path: &Path) { - let _ = Command::new("iptables-save") +pub fn save_iptables(path: &Path) -> std::io::Result { + Command::new("iptables-save") .args(["-f", path.to_str().unwrap()]) - .output(); + .output() } diff --git a/src/iptables_wrapper.rs b/src/iptables_wrapper.rs index cad5e0d..05ea955 100644 --- a/src/iptables_wrapper.rs +++ b/src/iptables_wrapper.rs @@ -1,7 +1,6 @@ -use std::collections::HashMap; - use iptables::IPTables; use regex::Regex; +use std::collections::HashMap; pub fn is_port_secured(port: u16, docker: bool) -> bool { let iptables = iptables::new(false).unwrap(); @@ -80,11 +79,15 @@ pub fn map_secured_ports_allowed_ips(docker: bool) -> HashMap> result } -pub fn secure_port_rule(port: u16) -> String { +fn secure_port_rule(port: u16) -> String { format!("-p tcp --dport {} -j DROP", port) } -pub fn secure_port(port: u16, docker: bool, position: Option) { +pub fn secure_port( + port: u16, + docker: bool, + position: Option, +) -> Result<(), Box> { let iptables = iptables::new(false).unwrap(); let table = "filter"; @@ -95,22 +98,23 @@ pub fn secure_port(port: u16, docker: bool, position: Option) { } else { append_unique(&iptables, table, &chain, &rule) } - - println!("Port {} secured", port); } -pub fn unsecure_port(port: u16, docker: bool) { +pub fn unsecure_port(port: u16, docker: bool) -> Result<(), Box> { let iptables = iptables::new(false).unwrap(); - let _ = iptables.delete("filter", &get_chain(docker), &secure_port_rule(port)); - - println!("Port {} unsecured", port); + iptables.delete("filter", &get_chain(docker), &secure_port_rule(port)) } -pub fn allow_ip_for_port_rule(port: u16, ip: &str) -> String { +fn allow_ip_for_port_rule(port: u16, ip: &str) -> String { format!("-p tcp --dport {} -s {} -j ACCEPT", port, ip) } -pub fn allow_ip_for_port(ip: &str, port: u16, docker: bool, position: Option) { +pub fn allow_ip_for_port( + ip: &str, + port: u16, + docker: bool, + position: Option, +) -> Result<(), Box> { let iptables = iptables::new(false).unwrap(); let table = "filter"; @@ -121,18 +125,19 @@ pub fn allow_ip_for_port(ip: &str, port: u16, docker: bool, position: Option Result<(), Box> { let iptables = iptables::new(false).unwrap(); - let _ = iptables.delete( + iptables.delete( "filter", &get_chain(docker), &allow_ip_for_port_rule(port, ip), - ); - println!("Removed access of {} to {}", ip, port); + ) } fn get_chain(docker: bool) -> String { @@ -143,12 +148,23 @@ fn get_chain(docker: bool) -> String { } } -fn append_unique(iptables: &IPTables, table: &str, chain: &str, rule: &str) { - let _ = iptables.append_unique(table, chain, rule); +fn append_unique( + iptables: &IPTables, + table: &str, + chain: &str, + rule: &str, +) -> Result<(), Box> { + iptables.append_unique(table, chain, rule) } -fn insert_unique(iptables: &IPTables, table: &str, chain: &str, rule: &str, position: i32) { - let _ = iptables.insert_unique(table, chain, rule, position); +fn insert_unique( + iptables: &IPTables, + table: &str, + chain: &str, + rule: &str, + position: i32, +) -> Result<(), Box> { + iptables.insert_unique(table, chain, rule, position) } fn extract_ip(regex: &Regex, input: &str) -> Option { diff --git a/src/main.rs b/src/main.rs index 40a19a2..5c2e2b0 100644 --- a/src/main.rs +++ b/src/main.rs @@ -46,19 +46,22 @@ async fn main() { port, docker, position, - } => secure_port(port, docker, position), - Cli::UnsecurePort { port, docker } => unsecure_port(port, docker), + } => println!("{}", secure_port(port, docker, position).is_ok()), + Cli::UnsecurePort { port, docker } => println!("{}", unsecure_port(port, docker).is_ok()), Cli::AllowIpForPort { ip, port, docker, position, - } => allow_ip_for_port(&ip, port, docker, position), + } => println!("{}", allow_ip_for_port(&ip, port, docker, position).is_ok()), Cli::OnlyIpForPort { ip, port, docker } => { - allow_ip_for_port(&ip, port, docker, Some(1)); - secure_port(port, docker, Some(2)); + let allowed = allow_ip_for_port(&ip, port, docker, Some(1)); + let secured = secure_port(port, docker, Some(2)); + println!("{}", allowed.is_ok() && secured.is_ok()); + } + Cli::RemoveAllowIpPort { ip, port, docker } => { + println!("{}", remove_allow_ip_for_port(&ip, port, docker).is_ok()) } - Cli::RemoveAllowIpPort { ip, port, docker } => remove_allow_ip_for_port(&ip, port, docker), Cli::SaveIPTables { iptables_save } => { let path = if let Some(iptables_save) = iptables_save { iptables_save @@ -66,8 +69,7 @@ async fn main() { PathBuf::from("/etc/iptables/rules.v4") }; - iptables_save::save_iptables(&path); - println!("Saved IPTables to {}", path.display()); + println!("{}", iptables_save::save_iptables(&path).is_ok()) } } }