1 #!/bin/sh 2 # SPDX-License-Identifier: GPL-2.0-or-later 3 # Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved. 4 # Copyright (c) International Business Machines Corp., 2001 5 # 6 # Author: Jan 20 2004 Hubert Lin <linux02NOSPAAAM (at] tw.ibm.com> 7 # <hubertNOSPAAAM (at] symbio.com.tw> 8 9 TST_CNT=6 10 TST_SETUP="init" 11 TST_TESTFUNC="test" 12 TST_CLEANUP="cleanup" 13 TST_NEEDS_TMPDIR=1 14 TST_NEEDS_ROOT=1 15 TST_NEEDS_CMDS="iptables grep ping telnet" 16 17 . tst_test.sh 18 19 init() 20 { 21 tst_res TINFO "INIT: Inititalizing tests." 22 23 modprobe ip_tables 24 if [ $? -ne 0 ]; then 25 iptables -L > tst_iptables.out 2>&1 26 if [ $? -ne 0 ]; then 27 tst_brk TCONF "no iptables support in kernel." 28 fi 29 fi 30 31 tst_res TINFO "INIT: Flushing all rules." 32 iptables -F -t filter > tst_iptables.out 2>&1 33 iptables -F -t nat > tst_iptables.out 2>&1 34 iptables -F -t mangle > tst_iptables.out 2>&1 35 } 36 37 cleanup() 38 { 39 lsmod | grep "ip_tables" > tst_iptables.out 2>&1 40 if [ $? -eq 0 ]; then 41 iptables -F -t filter > tst_iptables.out 2>&1 42 iptables -F -t nat > tst_iptables.out 2>&1 43 iptables -F -t mangle > tst_iptables.out 2>&1 44 rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \ 45 iptable_mangle iptable_nat ip_conntrack \ 46 iptable_filter ip_tables nf_nat_ipv4 nf_nat \ 47 nf_log_ipv4 nf_log_common nf_reject_ipv4 \ 48 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \ 49 > tst_iptables.out 2>&1 50 fi 51 } 52 53 test1() 54 { 55 local chaincnt=0 56 57 local cmd="iptables -L -t filter" 58 tst_res TINFO "$cmd will list all rules in table filter." 59 $cmd > tst_iptables.out 2>&1 60 if [ $? -ne 0 ]; then 61 tst_res TFAIL "$cmd failed to list rules." 62 cat tst_iptables.out 63 return 64 else 65 chaincnt=$(grep -c Chain tst_iptables.out) 66 if [ $chaincnt -lt 3 ]; then 67 tst_res TFAIL "$cmd failed to list rules." 68 cat tst_iptables.out 69 return 70 else 71 tst_res TINFO "$cmd lists rules." 72 fi 73 fi 74 75 local cmd="iptables -L -t nat" 76 tst_res TINFO "$cmd will list all rules in table nat." 77 $cmd > tst_iptables.out 2>&1 78 if [ $? -ne 0 ]; then 79 tst_res TFAIL "$cmd failed to list rules." 80 cat tst_iptables.out 81 return 82 else 83 chaincnt=$(grep -c Chain tst_iptables.out) 84 if [ $chaincnt -lt 3 ]; then 85 tst_res TFAIL "$cmd failed to list rules." 86 cat tst_iptables.out 87 return 88 else 89 tst_res TINFO "$cmd lists rules." 90 fi 91 fi 92 93 local cmd="iptables -L -t mangle" 94 tst_res TINFO "$cmd will list all rules in table mangle." 95 $cmd > tst_iptables.out 2>&1 96 if [ $? -ne 0 ]; then 97 tst_res TFAIL "$cmd failed to list rules." 98 cat tst_iptables.out 99 return 100 else 101 chaincnt=$(grep -c Chain tst_iptables.out) 102 if [ $chaincnt -lt 5 ]; then 103 tst_res TFAIL "$cmd failed to list rules." 104 cat tst_iptables.out 105 else 106 tst_res TINFO "$cmd lists rules." 107 fi 108 fi 109 110 tst_res TPASS "iptables -L lists rules." 111 } 112 113 test2() 114 { 115 tst_res TINFO "Use iptables to DROP packets from particular IP" 116 tst_res TINFO "Rule to block icmp from 127.0.0.1" 117 118 iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1 119 if [ $? -ne 0 ]; then 120 tst_res TFAIL "iptables command failed to append new rule." 121 cat tst_iptables.out 122 return 123 fi 124 125 tst_res TINFO "Pinging 127.0.0.1" 126 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 127 if [ $? -ne 0 ]; then 128 grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 129 if [ $? -ne 0 ]; then 130 tst_res TFAIL \ 131 "iptables did not block packets from loopback" 132 cat tst_iptables.err 133 return 134 else 135 tst_res TINFO "Ping 127.0.0.1 not successful." 136 fi 137 else 138 tst_res TFAIL "iptables did not block icmp from 127.0.0.1" 139 cat tst_iptables.out 140 return 141 fi 142 143 tst_res TINFO "Deleting icmp DROP from 127.0.0.1 rule." 144 iptables -D INPUT 1 > tst_iptables.out 2>&1 145 if [ $? -ne 0 ]; then 146 tst_res TFAIL "iptables did not remove the rule." 147 cat tst_iptables.out 148 return 149 fi 150 tst_res TINFO "Pinging 127.0.0.1 again" 151 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 152 if [ $? -ne 0 ]; then 153 tst_res TFAIL "iptables blocking loopback. This is expected" \ 154 "behaviour on certain distributions where" \ 155 "enabling firewall drops all packets by default." 156 cat tst_iptables.out 157 return 158 fi 159 tst_res TINFO "Ping succsess" 160 tst_res TPASS "iptables can DROP packets from particular IP." 161 } 162 163 test3() 164 { 165 tst_res TINFO "Use iptables to REJECT ping request." 166 tst_res TINFO "Rule to reject ping request." 167 168 iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \ 169 REJECT > tst_iptables.out 2>&1 170 if [ $? -ne 0 ]; then 171 tst_res TFAIL "iptables command failed to append new rule." 172 cat tst_iptables.out 173 return 174 fi 175 176 tst_res TINFO "Pinging 127.0.0.1" 177 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 178 if [ $? -ne 0 ]; then 179 grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 180 if [ $? -ne 0 ]; then 181 tst_res TFAIL "iptables did not block ping request." 182 cat tst_iptables.err 183 return 184 else 185 tst_res TINFO "Ping 127.0.0.1 not successful." 186 fi 187 else 188 tst_res TFAIL "iptables did not reject ping request." 189 cat tst_iptables.out 190 return 191 fi 192 193 tst_res TINFO "Deleting icmp request REJECT rule." 194 iptables -D INPUT 1 > tst_iptables.out 2>&1 195 if [ $? -ne 0 ]; then 196 tst_res TFAIL "iptables did not remove the rule." 197 cat tst_iptables.out 198 return 199 fi 200 tst_res TINFO "Pinging 127.0.0.1 again" 201 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 202 if [ $? -ne 0 ]; then 203 tst_res TFAIL "iptables blocking ping requests. This is" \ 204 "expected behaviour on certain distributions" \ 205 "where enabling firewall drops all packets by" \ 206 "default." 207 cat tst_iptables.out 208 return 209 fi 210 tst_res TINFO "Ping succsess" 211 tst_res TPASS "iptables can REJECT ping requests." 212 } 213 214 test4() 215 { 216 local dport=45886 217 local logprefix="${TCID}$(date +%m%d%H%M%S):" 218 219 tst_res TINFO "Use iptables to log packets to particular port." 220 tst_res TINFO "Rule to log tcp packets to particular port." 221 222 iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \ 223 --log-prefix "$logprefix" > tst_iptables.out 2>&1 224 if [ $? -ne 0 ]; then 225 tst_res TFAIL "iptables command failed to append new rule." 226 cat tst_iptables.out 227 return 228 fi 229 230 tst_res TINFO "telnet 127.0.0.1 $dport" 231 telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 232 if [ $? -ne 0 ]; then 233 sleep 2 234 dmesg | grep "$logprefix" > tst_iptables.err 2>&1 235 if [ $? -ne 0 ]; then 236 tst_res TFAIL \ 237 "iptables did not log packets to port $dport" 238 cat tst_iptables.err 239 return 240 else 241 tst_res TINFO "Packets to port $dport logged." 242 fi 243 else 244 tst_res TFAIL "telnet to 127.0.0.1 $dport should fail." 245 cat tst_iptables.out 246 return 247 fi 248 249 tst_res TINFO "Deleting the rule to log." 250 iptables -D INPUT 1 > tst_iptables.out 2>&1 251 if [ $? -ne 0 ]; then 252 tst_res TFAIL "iptables did not remove the rule." 253 cat tst_iptables.out 254 return 255 fi 256 tst_res TINFO "iptables logging succsess" 257 tst_res TPASS "iptables can log packets to particular port." 258 } 259 260 test5() 261 { 262 local dport=0 263 local logprefix="${TCID}$(date +%m%d%H%M%S):" 264 265 tst_res TINFO "Use iptables to log packets to multiple ports." 266 tst_res TINFO "Rule to log tcp packets to port 45801 - 45803." 267 iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \ 268 --log-prefix "$logprefix" > tst_iptables.out 2>&1 269 if [ $? -ne 0 ]; then 270 tst_res TFAIL "iptables command failed to append new rule." 271 cat tst_iptables.out 272 return 273 fi 274 275 tst_res TINFO "Rule to log tcp packets to port 45804 - 45806." 276 iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \ 277 45804,45806,45805 -j LOG --log-prefix "$logprefix" \ 278 > tst_iptables.out 2>&1 279 if [ $? -ne 0 ]; then 280 tst_res TFAIL "iptables command failed to append new rule." 281 cat tst_iptables.out 282 return 283 fi 284 285 for dport in 45801 45802 45803 45804 45805 45806; do 286 tst_res TINFO "telnet 127.0.0.1 $dport" 287 telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 288 if [ $? -ne 0 ]; then 289 sleep 2 290 dmesg | grep "$logprefix" | grep "=$dport " \ 291 > tst_iptables.err 2>&1 292 if [ $? -ne 0 ]; then 293 tst_res TFAIL "iptables did not log packets" \ 294 "to port $dport" 295 cat tst_iptables.err 296 return 297 else 298 tst_res TINFO "Packets to port $dport logged." 299 fi 300 else 301 tst_res TFAIL "telnet to 127.0.0.1 $dport should fail." 302 cat tst_iptables.out 303 return 304 fi 305 done 306 307 tst_res TINFO "Flushing all rules." 308 iptables -F > tst_iptables.out 2>&1 309 if [ $? -ne 0 ]; then 310 tst_res TFAIL "iptables did not flush all rules." 311 cat tst_iptables.out 312 return 313 fi 314 tst_res TINFO "iptables logging succsess" 315 tst_res TPASS "iptables can log packets to multiple ports." 316 } 317 318 test6() 319 { 320 local logcnt=0 321 local logprefix="${TCID}$(date +%m%d%H%M%S):" 322 323 tst_res TINFO "Use iptables to log ping request with limited rate." 324 tst_res TINFO "Rule to log ping request." 325 326 iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \ 327 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1 328 if [ $? -ne 0 ]; then 329 tst_res TFAIL "iptables command failed to append new rule." 330 cat tst_iptables.out 331 return 332 fi 333 334 tst_res TINFO "ping 127.0.0.1" 335 ping -c 10 127.0.0.1 > tst_iptables.out 2>&1 336 if [ $? -eq 0 ]; then 337 sleep 2 338 logcnt=$(dmesg | grep -c "$logprefix") 339 if [ $logcnt -ne 5 ]; then 340 tst_res TFAIL "iptables did not log packets with" \ 341 "limited rate." 342 cat tst_iptables.out 343 return 344 else 345 tst_res TINFO "ping requests logged with limited rate." 346 fi 347 else 348 tst_res TFAIL "ping to 127.0.0.1 failed. This is expected" \ 349 "behaviour on certain distributions where" \ 350 "enabling firewall drops all packets by default." 351 cat tst_iptables.out 352 return 353 fi 354 355 tst_res TINFO "Deleting the rule to log." 356 iptables -D INPUT 1 > tst_iptables.out 2>&1 357 if [ $? -ne 0 ]; then 358 tst_res TFAIL "iptables did not remove the rule." 359 cat tst_iptables.out 360 return 361 fi 362 tst_res TINFO "iptables limited logging succsess" 363 tst_res TPASS "iptables can log packets with limited rate." 364 } 365 366 tst_run 367
