#!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later # Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved. # Copyright (c) International Business Machines Corp., 2001 # # Author: Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com> # <hubertNOSPAAAM@symbio.com.tw> TST_CNT=6 TST_SETUP="init" TST_TESTFUNC="test" TST_CLEANUP="cleanup" TST_NEEDS_TMPDIR=1 TST_NEEDS_ROOT=1 TST_NEEDS_CMDS="iptables grep ping telnet" . tst_test.sh init() { tst_res TINFO "INIT: Inititalizing tests." modprobe ip_tables if [ $? -ne 0 ]; then iptables -L > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_brk TCONF "no iptables support in kernel." fi fi tst_res TINFO "INIT: Flushing all rules." iptables -F -t filter > tst_iptables.out 2>&1 iptables -F -t nat > tst_iptables.out 2>&1 iptables -F -t mangle > tst_iptables.out 2>&1 } cleanup() { lsmod | grep "ip_tables" > tst_iptables.out 2>&1 if [ $? -eq 0 ]; then iptables -F -t filter > tst_iptables.out 2>&1 iptables -F -t nat > tst_iptables.out 2>&1 iptables -F -t mangle > tst_iptables.out 2>&1 rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \ iptable_mangle iptable_nat ip_conntrack \ iptable_filter ip_tables nf_nat_ipv4 nf_nat \ nf_log_ipv4 nf_log_common nf_reject_ipv4 \ nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \ > tst_iptables.out 2>&1 fi } test1() { local chaincnt=0 local cmd="iptables -L -t filter" tst_res TINFO "$cmd will list all rules in table filter." $cmd > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "$cmd failed to list rules." cat tst_iptables.out return else chaincnt=$(grep -c Chain tst_iptables.out) if [ $chaincnt -lt 3 ]; then tst_res TFAIL "$cmd failed to list rules." cat tst_iptables.out return else tst_res TINFO "$cmd lists rules." fi fi local cmd="iptables -L -t nat" tst_res TINFO "$cmd will list all rules in table nat." $cmd > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "$cmd failed to list rules." cat tst_iptables.out return else chaincnt=$(grep -c Chain tst_iptables.out) if [ $chaincnt -lt 3 ]; then tst_res TFAIL "$cmd failed to list rules." cat tst_iptables.out return else tst_res TINFO "$cmd lists rules." fi fi local cmd="iptables -L -t mangle" tst_res TINFO "$cmd will list all rules in table mangle." $cmd > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "$cmd failed to list rules." cat tst_iptables.out return else chaincnt=$(grep -c Chain tst_iptables.out) if [ $chaincnt -lt 5 ]; then tst_res TFAIL "$cmd failed to list rules." cat tst_iptables.out else tst_res TINFO "$cmd lists rules." fi fi tst_res TPASS "iptables -L lists rules." } test2() { tst_res TINFO "Use iptables to DROP packets from particular IP" tst_res TINFO "Rule to block icmp from 127.0.0.1" iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables command failed to append new rule." cat tst_iptables.out return fi tst_res TINFO "Pinging 127.0.0.1" ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL \ "iptables did not block packets from loopback" cat tst_iptables.err return else tst_res TINFO "Ping 127.0.0.1 not successful." fi else tst_res TFAIL "iptables did not block icmp from 127.0.0.1" cat tst_iptables.out return fi tst_res TINFO "Deleting icmp DROP from 127.0.0.1 rule." iptables -D INPUT 1 > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables did not remove the rule." cat tst_iptables.out return fi tst_res TINFO "Pinging 127.0.0.1 again" ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables blocking loopback. This is expected" \ "behaviour on certain distributions where" \ "enabling firewall drops all packets by default." cat tst_iptables.out return fi tst_res TINFO "Ping succsess" tst_res TPASS "iptables can DROP packets from particular IP." } test3() { tst_res TINFO "Use iptables to REJECT ping request." tst_res TINFO "Rule to reject ping request." iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \ REJECT > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables command failed to append new rule." cat tst_iptables.out return fi tst_res TINFO "Pinging 127.0.0.1" ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables did not block ping request." cat tst_iptables.err return else tst_res TINFO "Ping 127.0.0.1 not successful." fi else tst_res TFAIL "iptables did not reject ping request." cat tst_iptables.out return fi tst_res TINFO "Deleting icmp request REJECT rule." iptables -D INPUT 1 > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables did not remove the rule." cat tst_iptables.out return fi tst_res TINFO "Pinging 127.0.0.1 again" ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables blocking ping requests. This is" \ "expected behaviour on certain distributions" \ "where enabling firewall drops all packets by" \ "default." cat tst_iptables.out return fi tst_res TINFO "Ping succsess" tst_res TPASS "iptables can REJECT ping requests." } test4() { local dport=45886 local logprefix="${TCID}$(date +%m%d%H%M%S):" tst_res TINFO "Use iptables to log packets to particular port." tst_res TINFO "Rule to log tcp packets to particular port." iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \ --log-prefix "$logprefix" > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables command failed to append new rule." cat tst_iptables.out return fi tst_res TINFO "telnet 127.0.0.1 $dport" telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then sleep 2 dmesg | grep "$logprefix" > tst_iptables.err 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL \ "iptables did not log packets to port $dport" cat tst_iptables.err return else tst_res TINFO "Packets to port $dport logged." fi else tst_res TFAIL "telnet to 127.0.0.1 $dport should fail." cat tst_iptables.out return fi tst_res TINFO "Deleting the rule to log." iptables -D INPUT 1 > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables did not remove the rule." cat tst_iptables.out return fi tst_res TINFO "iptables logging succsess" tst_res TPASS "iptables can log packets to particular port." } test5() { local dport=0 local logprefix="${TCID}$(date +%m%d%H%M%S):" tst_res TINFO "Use iptables to log packets to multiple ports." tst_res TINFO "Rule to log tcp packets to port 45801 - 45803." iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \ --log-prefix "$logprefix" > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables command failed to append new rule." cat tst_iptables.out return fi tst_res TINFO "Rule to log tcp packets to port 45804 - 45806." iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \ 45804,45806,45805 -j LOG --log-prefix "$logprefix" \ > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables command failed to append new rule." cat tst_iptables.out return fi for dport in 45801 45802 45803 45804 45805 45806; do tst_res TINFO "telnet 127.0.0.1 $dport" telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then sleep 2 dmesg | grep "$logprefix" | grep "=$dport " \ > tst_iptables.err 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables did not log packets" \ "to port $dport" cat tst_iptables.err return else tst_res TINFO "Packets to port $dport logged." fi else tst_res TFAIL "telnet to 127.0.0.1 $dport should fail." cat tst_iptables.out return fi done tst_res TINFO "Flushing all rules." iptables -F > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables did not flush all rules." cat tst_iptables.out return fi tst_res TINFO "iptables logging succsess" tst_res TPASS "iptables can log packets to multiple ports." } test6() { local logcnt=0 local logprefix="${TCID}$(date +%m%d%H%M%S):" tst_res TINFO "Use iptables to log ping request with limited rate." tst_res TINFO "Rule to log ping request." iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \ limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables command failed to append new rule." cat tst_iptables.out return fi tst_res TINFO "ping 127.0.0.1" ping -c 10 127.0.0.1 > tst_iptables.out 2>&1 if [ $? -eq 0 ]; then sleep 2 logcnt=$(dmesg | grep -c "$logprefix") if [ $logcnt -ne 5 ]; then tst_res TFAIL "iptables did not log packets with" \ "limited rate." cat tst_iptables.out return else tst_res TINFO "ping requests logged with limited rate." fi else tst_res TFAIL "ping to 127.0.0.1 failed. This is expected" \ "behaviour on certain distributions where" \ "enabling firewall drops all packets by default." cat tst_iptables.out return fi tst_res TINFO "Deleting the rule to log." iptables -D INPUT 1 > tst_iptables.out 2>&1 if [ $? -ne 0 ]; then tst_res TFAIL "iptables did not remove the rule." cat tst_iptables.out return fi tst_res TINFO "iptables limited logging succsess" tst_res TPASS "iptables can log packets with limited rate." } tst_run