1 #!/bin/sh 2 ################################################################################ 3 ## ## 4 ## Copyright (c) International Business Machines Corp., 2001 ## 5 ## ## 6 ## This program is free software; you can redistribute it and#or modify ## 7 ## it under the terms of the GNU General Public License as published by ## 8 ## the Free Software Foundation; either version 2 of the License, or ## 9 ## (at your option) any later version. ## 10 ## ## 11 ## This program is distributed in the hope that it will be useful, but ## 12 ## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## 13 ## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## 14 ## for more details. ## 15 ## ## 16 ## You should have received a copy of the GNU General Public License ## 17 ## along with this program; if not, write to the Free Software Foundation, ## 18 ## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## 19 ## ## 20 ################################################################################ 21 # Author: Jan 20 2004 Hubert Lin <linux02NOSPAAAM (at] tw.ibm.com> 22 # <hubertNOSPAAAM (at] symbio.com.tw> 23 24 export TCID="iptables" 25 export TST_TOTAL=6 26 27 . test.sh 28 29 init() 30 { 31 tst_tmpdir 32 33 tst_resm TINFO "INIT: Inititalizing tests." 34 35 modprobe ip_tables 36 if [ $? -ne 0 ]; then 37 iptables -L > tst_iptables.out 2>&1 38 if [ $? -ne 0 ]; then 39 tst_brkm TBROK "no iptables support in kernel." 40 fi 41 fi 42 43 tst_resm TINFO "INIT: Flushing all rules." 44 iptables -F -t filter > tst_iptables.out 2>&1 45 iptables -F -t nat > tst_iptables.out 2>&1 46 iptables -F -t mangle > tst_iptables.out 2>&1 47 } 48 49 cleanup() 50 { 51 lsmod | grep "ip_tables" > tst_iptables.out 2>&1 52 if [ $? -eq 0 ]; then 53 iptables -F -t filter > tst_iptables.out 2>&1 54 iptables -F -t nat > tst_iptables.out 2>&1 55 iptables -F -t mangle > tst_iptables.out 2>&1 56 rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \ 57 iptable_mangle iptable_nat ip_conntrack \ 58 iptable_filter ip_tables nf_nat_ipv4 nf_nat \ 59 nf_log_ipv4 nf_log_common nf_reject_ipv4 \ 60 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \ 61 > tst_iptables.out 2>&1 62 fi 63 tst_rmdir 64 } 65 66 test01() 67 { 68 local chaincnt=0 69 70 local cmd="iptables -L -t filter" 71 tst_resm TINFO "$cmd will list all rules in table filter." 72 $cmd > tst_iptables.out 2>&1 73 if [ $? -ne 0 ]; then 74 tst_resm TFAIL "$cmd failed to list rules." 75 cat tst_iptables.out 76 return 77 else 78 chaincnt=$(grep -c Chain tst_iptables.out) 79 if [ $chaincnt -lt 3 ]; then 80 tst_resm TFAIL "$cmd failed to list rules." 81 cat tst_iptables.out 82 return 83 else 84 tst_resm TINFO "$cmd lists rules." 85 fi 86 fi 87 88 local cmd="iptables -L -t nat" 89 tst_resm TINFO "$cmd will list all rules in table nat." 90 $cmd > tst_iptables.out 2>&1 91 if [ $? -ne 0 ]; then 92 tst_resm TFAIL "$cmd failed to list rules." 93 cat tst_iptables.out 94 return 95 else 96 chaincnt=$(grep -c Chain tst_iptables.out) 97 if [ $chaincnt -lt 3 ]; then 98 tst_resm TFAIL "$cmd failed to list rules." 99 cat tst_iptables.out 100 return 101 else 102 tst_resm TINFO "$cmd lists rules." 103 fi 104 fi 105 106 local cmd="iptables -L -t mangle" 107 tst_resm TINFO "$cmd will list all rules in table mangle." 108 $cmd > tst_iptables.out 2>&1 109 if [ $? -ne 0 ]; then 110 tst_resm TFAIL "$cmd failed to list rules." 111 cat tst_iptables.out 112 return 113 else 114 chaincnt=$(grep -c Chain tst_iptables.out) 115 if [ $chaincnt -lt 5 ]; then 116 tst_resm TFAIL "$cmd failed to list rules." 117 cat tst_iptables.out 118 else 119 tst_resm TINFO "$cmd lists rules." 120 fi 121 fi 122 123 tst_resm TPASS "iptables -L lists rules." 124 } 125 126 test02() 127 { 128 tst_resm TINFO "Use iptables to DROP packets from particular IP" 129 tst_resm TINFO "Rule to block icmp from 127.0.0.1" 130 131 iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1 132 if [ $? -ne 0 ]; then 133 tst_resm TFAIL "iptables command failed to append new rule." 134 cat tst_iptables.out 135 return 136 fi 137 138 tst_resm TINFO "Pinging 127.0.0.1" 139 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 140 if [ $? -ne 0 ]; then 141 grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 142 if [ $? -ne 0 ]; then 143 tst_resm TFAIL \ 144 "iptables did not block packets from loopback" 145 cat tst_iptables.err 146 return 147 else 148 tst_resm TINFO "Ping 127.0.0.1 not successful." 149 fi 150 else 151 tst_resm TFAIL "iptables did not block icmp from 127.0.0.1" 152 cat tst_iptables.out 153 return 154 fi 155 156 tst_resm TINFO "Deleting icmp DROP from 127.0.0.1 rule." 157 iptables -D INPUT 1 > tst_iptables.out 2>&1 158 if [ $? -ne 0 ]; then 159 tst_resm TFAIL "iptables did not remove the rule." 160 cat tst_iptables.out 161 return 162 fi 163 tst_resm TINFO "Pinging 127.0.0.1 again" 164 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 165 if [ $? -ne 0 ]; then 166 tst_resm TFAIL "iptables blocking loopback. This is expected" \ 167 "behaviour on certain distributions where" \ 168 "enabling firewall drops all packets by default." 169 cat tst_iptables.out 170 return 171 fi 172 tst_resm TINFO "Ping succsess" 173 tst_resm TPASS "iptables can DROP packets from particular IP." 174 } 175 176 test03() 177 { 178 tst_resm TINFO "Use iptables to REJECT ping request." 179 tst_resm TINFO "Rule to reject ping request." 180 181 iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \ 182 REJECT > tst_iptables.out 2>&1 183 if [ $? -ne 0 ]; then 184 tst_resm TFAIL "iptables command failed to append new rule." 185 cat tst_iptables.out 186 return 187 fi 188 189 tst_resm TINFO "Pinging 127.0.0.1" 190 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 191 if [ $? -ne 0 ]; then 192 grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 193 if [ $? -ne 0 ]; then 194 tst_resm TFAIL "iptables did not block ping request." 195 cat tst_iptables.err 196 return 197 else 198 tst_resm TINFO "Ping 127.0.0.1 not successful." 199 fi 200 else 201 tst_resm TFAIL "iptables did not reject ping request." 202 cat tst_iptables.out 203 return 204 fi 205 206 tst_resm TINFO "Deleting icmp request REJECT rule." 207 iptables -D INPUT 1 > tst_iptables.out 2>&1 208 if [ $? -ne 0 ]; then 209 tst_resm TFAIL "iptables did not remove the rule." 210 cat tst_iptables.out 211 return 212 fi 213 tst_resm TINFO "Pinging 127.0.0.1 again" 214 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 215 if [ $? -ne 0 ]; then 216 tst_resm TFAIL "iptables blocking ping requests. This is" \ 217 "expected behaviour on certain distributions" \ 218 "where enabling firewall drops all packets by" \ 219 "default." 220 cat tst_iptables.out 221 return 222 fi 223 tst_resm TINFO "Ping succsess" 224 tst_resm TPASS "iptables can REJECT ping requests." 225 } 226 227 test04() 228 { 229 local dport=45886 230 local logprefix="$TCID-$(date +%m%d%H%M%S):" 231 232 tst_resm TINFO "Use iptables to log packets to particular port." 233 tst_resm TINFO "Rule to log tcp packets to particular port." 234 235 iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \ 236 --log-prefix "$logprefix" > tst_iptables.out 2>&1 237 if [ $? -ne 0 ]; then 238 tst_resm TFAIL "iptables command failed to append new rule." 239 cat tst_iptables.out 240 return 241 fi 242 243 tst_resm TINFO "telnet 127.0.0.1 $dport" 244 telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 245 if [ $? -ne 0 ]; then 246 sleep 2 247 dmesg | grep "$logprefix" > tst_iptables.err 2>&1 248 if [ $? -ne 0 ]; then 249 tst_resm TFAIL \ 250 "iptables did not log packets to port $dport" 251 cat tst_iptables.err 252 return 253 else 254 tst_resm TINFO "Packets to port $dport logged." 255 fi 256 else 257 tst_resm TFAIL "telnet to 127.0.0.1 $dport should fail." 258 cat tst_iptables.out 259 return 260 fi 261 262 tst_resm TINFO "Deleting the rule to log." 263 iptables -D INPUT 1 > tst_iptables.out 2>&1 264 if [ $? -ne 0 ]; then 265 tst_resm TFAIL "iptables did not remove the rule." 266 cat tst_iptables.out 267 return 268 fi 269 tst_resm TINFO "iptables logging succsess" 270 tst_resm TPASS "iptables can log packets to particular port." 271 } 272 273 test05() 274 { 275 local dport=0 276 local logprefix="$TCID-$(date +%m%d%H%M%S):" 277 278 tst_resm TINFO "Use iptables to log packets to multiple ports." 279 tst_resm TINFO "Rule to log tcp packets to port 45801 - 45803." 280 iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \ 281 --log-prefix "$logprefix" > tst_iptables.out 2>&1 282 if [ $? -ne 0 ]; then 283 tst_resm TFAIL "iptables command failed to append new rule." 284 cat tst_iptables.out 285 return 286 fi 287 288 tst_resm TINFO "Rule to log tcp packets to port 45804 - 45806." 289 iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \ 290 45804,45806,45805 -j LOG --log-prefix "$logprefix" \ 291 > tst_iptables.out 2>&1 292 if [ $? -ne 0 ]; then 293 tst_resm TFAIL "iptables command failed to append new rule." 294 cat tst_iptables.out 295 return 296 fi 297 298 for dport in 45801 45802 45803 45804 45805 45806; do 299 tst_resm TINFO "telnet 127.0.0.1 $dport" 300 telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 301 if [ $? -ne 0 ]; then 302 sleep 2 303 dmesg | grep "$logprefix" | grep "=$dport " \ 304 > tst_iptables.err 2>&1 305 if [ $? -ne 0 ]; then 306 tst_resm TFAIL "iptables did not log packets" \ 307 "to port $dport" 308 cat tst_iptables.err 309 return 310 else 311 tst_resm TINFO "Packets to port $dport logged." 312 fi 313 else 314 tst_res TFAIL "telnet to 127.0.0.1 $dport should fail." 315 cat tst_iptables.out 316 return 317 fi 318 done 319 320 tst_resm TINFO "Flushing all rules." 321 iptables -F > tst_iptables.out 2>&1 322 if [ $? -ne 0 ]; then 323 tst_resm TFAIL "iptables did not flush all rules." 324 cat tst_iptables.out 325 return 326 fi 327 tst_resm TINFO "iptables logging succsess" 328 tst_resm TPASS "iptables can log packets to multiple ports." 329 } 330 331 test06() 332 { 333 local logcnt=0 334 local logprefix="$TCID-$(date +%m%d%H%M%S):" 335 336 tst_resm TINFO "Use iptables to log ping request with limited rate." 337 tst_resm TINFO "Rule to log ping request." 338 339 iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \ 340 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1 341 if [ $? -ne 0 ]; then 342 tst_resm TFAIL "iptables command failed to append new rule." 343 cat tst_iptables.out 344 return 345 fi 346 347 tst_resm TINFO "ping 127.0.0.1" 348 ping -c 10 127.0.0.1 > tst_iptables.out 2>&1 349 if [ $? -eq 0 ]; then 350 sleep 2 351 logcnt=$(dmesg | grep -c "$logprefix") 352 if [ $logcnt -ne 5 ]; then 353 tst_resm TFAIL "iptables did not log packets with" \ 354 "limited rate." 355 cat tst_iptables.out 356 return 357 else 358 tst_resm TINFO "ping requests logged with limited rate." 359 fi 360 else 361 tst_resm TFAIL "ping to 127.0.0.1 failed. This is expected" \ 362 "behaviour on certain distributions where" \ 363 "enabling firewall drops all packets by default." 364 cat tst_iptables.out 365 return 366 fi 367 368 tst_resm TINFO "Deleting the rule to log." 369 iptables -D INPUT 1 > tst_iptables.out 2>&1 370 if [ $? -ne 0 ]; then 371 tst_resm TFAIL "iptables did not remove the rule." 372 cat tst_iptables.out 373 return 374 fi 375 tst_resm TINFO "iptables limited logging succsess" 376 tst_resm TPASS "iptables can log packets with limited rate." 377 } 378 379 init 380 TST_CLEANUP=cleanup 381 382 test01 383 test02 384 test03 385 test04 386 test05 387 test06 388 389 tst_exit 390