| #!/bin/sh |
| # SPDX-License-Identifier: GPL-2.0-or-later |
| # Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved. |
| # Copyright (c) International Business Machines Corp., 2001 |
| # |
| # Author: Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com> |
| # <hubertNOSPAAAM@symbio.com.tw> |
| |
| TST_CNT=6 |
| TST_SETUP="init" |
| TST_TESTFUNC="test" |
| TST_CLEANUP="cleanup" |
| TST_NEEDS_TMPDIR=1 |
| TST_NEEDS_ROOT=1 |
| TST_NEEDS_CMDS="iptables grep ping telnet" |
| |
| . tst_test.sh |
| |
| init() |
| { |
| tst_res TINFO "INIT: Inititalizing tests." |
| |
| modprobe ip_tables |
| if [ $? -ne 0 ]; then |
| iptables -L > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_brk TCONF "no iptables support in kernel." |
| fi |
| fi |
| |
| tst_res TINFO "INIT: Flushing all rules." |
| iptables -F -t filter > tst_iptables.out 2>&1 |
| iptables -F -t nat > tst_iptables.out 2>&1 |
| iptables -F -t mangle > tst_iptables.out 2>&1 |
| } |
| |
| cleanup() |
| { |
| lsmod | grep "ip_tables" > tst_iptables.out 2>&1 |
| if [ $? -eq 0 ]; then |
| iptables -F -t filter > tst_iptables.out 2>&1 |
| iptables -F -t nat > tst_iptables.out 2>&1 |
| iptables -F -t mangle > tst_iptables.out 2>&1 |
| rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \ |
| iptable_mangle iptable_nat ip_conntrack \ |
| iptable_filter ip_tables nf_nat_ipv4 nf_nat \ |
| nf_log_ipv4 nf_log_common nf_reject_ipv4 \ |
| nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \ |
| > tst_iptables.out 2>&1 |
| fi |
| } |
| |
| test1() |
| { |
| local chaincnt=0 |
| |
| local cmd="iptables -L -t filter" |
| tst_res TINFO "$cmd will list all rules in table filter." |
| $cmd > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "$cmd failed to list rules." |
| cat tst_iptables.out |
| return |
| else |
| chaincnt=$(grep -c Chain tst_iptables.out) |
| if [ $chaincnt -lt 3 ]; then |
| tst_res TFAIL "$cmd failed to list rules." |
| cat tst_iptables.out |
| return |
| else |
| tst_res TINFO "$cmd lists rules." |
| fi |
| fi |
| |
| local cmd="iptables -L -t nat" |
| tst_res TINFO "$cmd will list all rules in table nat." |
| $cmd > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "$cmd failed to list rules." |
| cat tst_iptables.out |
| return |
| else |
| chaincnt=$(grep -c Chain tst_iptables.out) |
| if [ $chaincnt -lt 3 ]; then |
| tst_res TFAIL "$cmd failed to list rules." |
| cat tst_iptables.out |
| return |
| else |
| tst_res TINFO "$cmd lists rules." |
| fi |
| fi |
| |
| local cmd="iptables -L -t mangle" |
| tst_res TINFO "$cmd will list all rules in table mangle." |
| $cmd > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "$cmd failed to list rules." |
| cat tst_iptables.out |
| return |
| else |
| chaincnt=$(grep -c Chain tst_iptables.out) |
| if [ $chaincnt -lt 5 ]; then |
| tst_res TFAIL "$cmd failed to list rules." |
| cat tst_iptables.out |
| else |
| tst_res TINFO "$cmd lists rules." |
| fi |
| fi |
| |
| tst_res TPASS "iptables -L lists rules." |
| } |
| |
| test2() |
| { |
| tst_res TINFO "Use iptables to DROP packets from particular IP" |
| tst_res TINFO "Rule to block icmp from 127.0.0.1" |
| |
| iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables command failed to append new rule." |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "Pinging 127.0.0.1" |
| ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL \ |
| "iptables did not block packets from loopback" |
| cat tst_iptables.err |
| return |
| else |
| tst_res TINFO "Ping 127.0.0.1 not successful." |
| fi |
| else |
| tst_res TFAIL "iptables did not block icmp from 127.0.0.1" |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "Deleting icmp DROP from 127.0.0.1 rule." |
| iptables -D INPUT 1 > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables did not remove the rule." |
| cat tst_iptables.out |
| return |
| fi |
| tst_res TINFO "Pinging 127.0.0.1 again" |
| ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables blocking loopback. This is expected" \ |
| "behaviour on certain distributions where" \ |
| "enabling firewall drops all packets by default." |
| cat tst_iptables.out |
| return |
| fi |
| tst_res TINFO "Ping succsess" |
| tst_res TPASS "iptables can DROP packets from particular IP." |
| } |
| |
| test3() |
| { |
| tst_res TINFO "Use iptables to REJECT ping request." |
| tst_res TINFO "Rule to reject ping request." |
| |
| iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \ |
| REJECT > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables command failed to append new rule." |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "Pinging 127.0.0.1" |
| ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables did not block ping request." |
| cat tst_iptables.err |
| return |
| else |
| tst_res TINFO "Ping 127.0.0.1 not successful." |
| fi |
| else |
| tst_res TFAIL "iptables did not reject ping request." |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "Deleting icmp request REJECT rule." |
| iptables -D INPUT 1 > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables did not remove the rule." |
| cat tst_iptables.out |
| return |
| fi |
| tst_res TINFO "Pinging 127.0.0.1 again" |
| ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables blocking ping requests. This is" \ |
| "expected behaviour on certain distributions" \ |
| "where enabling firewall drops all packets by" \ |
| "default." |
| cat tst_iptables.out |
| return |
| fi |
| tst_res TINFO "Ping succsess" |
| tst_res TPASS "iptables can REJECT ping requests." |
| } |
| |
| test4() |
| { |
| local dport=45886 |
| local logprefix="${TCID}$(date +%m%d%H%M%S):" |
| |
| tst_res TINFO "Use iptables to log packets to particular port." |
| tst_res TINFO "Rule to log tcp packets to particular port." |
| |
| iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \ |
| --log-prefix "$logprefix" > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables command failed to append new rule." |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "telnet 127.0.0.1 $dport" |
| telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| sleep 2 |
| dmesg | grep "$logprefix" > tst_iptables.err 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL \ |
| "iptables did not log packets to port $dport" |
| cat tst_iptables.err |
| return |
| else |
| tst_res TINFO "Packets to port $dport logged." |
| fi |
| else |
| tst_res TFAIL "telnet to 127.0.0.1 $dport should fail." |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "Deleting the rule to log." |
| iptables -D INPUT 1 > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables did not remove the rule." |
| cat tst_iptables.out |
| return |
| fi |
| tst_res TINFO "iptables logging succsess" |
| tst_res TPASS "iptables can log packets to particular port." |
| } |
| |
| test5() |
| { |
| local dport=0 |
| local logprefix="${TCID}$(date +%m%d%H%M%S):" |
| |
| tst_res TINFO "Use iptables to log packets to multiple ports." |
| tst_res TINFO "Rule to log tcp packets to port 45801 - 45803." |
| iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \ |
| --log-prefix "$logprefix" > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables command failed to append new rule." |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "Rule to log tcp packets to port 45804 - 45806." |
| iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \ |
| 45804,45806,45805 -j LOG --log-prefix "$logprefix" \ |
| > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables command failed to append new rule." |
| cat tst_iptables.out |
| return |
| fi |
| |
| for dport in 45801 45802 45803 45804 45805 45806; do |
| tst_res TINFO "telnet 127.0.0.1 $dport" |
| telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| sleep 2 |
| dmesg | grep "$logprefix" | grep "=$dport " \ |
| > tst_iptables.err 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables did not log packets" \ |
| "to port $dport" |
| cat tst_iptables.err |
| return |
| else |
| tst_res TINFO "Packets to port $dport logged." |
| fi |
| else |
| tst_res TFAIL "telnet to 127.0.0.1 $dport should fail." |
| cat tst_iptables.out |
| return |
| fi |
| done |
| |
| tst_res TINFO "Flushing all rules." |
| iptables -F > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables did not flush all rules." |
| cat tst_iptables.out |
| return |
| fi |
| tst_res TINFO "iptables logging succsess" |
| tst_res TPASS "iptables can log packets to multiple ports." |
| } |
| |
| test6() |
| { |
| local logcnt=0 |
| local logprefix="${TCID}$(date +%m%d%H%M%S):" |
| |
| tst_res TINFO "Use iptables to log ping request with limited rate." |
| tst_res TINFO "Rule to log ping request." |
| |
| iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \ |
| limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables command failed to append new rule." |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "ping 127.0.0.1" |
| ping -c 10 127.0.0.1 > tst_iptables.out 2>&1 |
| if [ $? -eq 0 ]; then |
| sleep 2 |
| logcnt=$(dmesg | grep -c "$logprefix") |
| if [ $logcnt -ne 5 ]; then |
| tst_res TFAIL "iptables did not log packets with" \ |
| "limited rate." |
| cat tst_iptables.out |
| return |
| else |
| tst_res TINFO "ping requests logged with limited rate." |
| fi |
| else |
| tst_res TFAIL "ping to 127.0.0.1 failed. This is expected" \ |
| "behaviour on certain distributions where" \ |
| "enabling firewall drops all packets by default." |
| cat tst_iptables.out |
| return |
| fi |
| |
| tst_res TINFO "Deleting the rule to log." |
| iptables -D INPUT 1 > tst_iptables.out 2>&1 |
| if [ $? -ne 0 ]; then |
| tst_res TFAIL "iptables did not remove the rule." |
| cat tst_iptables.out |
| return |
| fi |
| tst_res TINFO "iptables limited logging succsess" |
| tst_res TPASS "iptables can log packets with limited rate." |
| } |
| |
| tst_run |