1#!/bin/sh 2################################################################################ 3## ## 4## Copyright (c) International Business Machines Corp., 2001 ## 5## ## 6## This program is free software; you can redistribute it and#or modify ## 7## it under the terms of the GNU General Public License as published by ## 8## the Free Software Foundation; either version 2 of the License, or ## 9## (at your option) any later version. ## 10## ## 11## This program is distributed in the hope that it will be useful, but ## 12## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## 13## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## 14## for more details. ## 15## ## 16## You should have received a copy of the GNU General Public License ## 17## along with this program; if not, write to the Free Software Foundation, ## 18## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## 19## ## 20################################################################################ 21# Author: Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com> 22# <hubertNOSPAAAM@symbio.com.tw> 23 24export TCID="iptables" 25export TST_TOTAL=6 26 27. test.sh 28 29init() 30{ 31 tst_tmpdir 32 33 tst_resm TINFO "INIT: Inititalizing tests." 34 35 modprobe ip_tables 36 if [ $? -ne 0 ]; then 37 iptables -L > tst_iptables.out 2>&1 38 if [ $? -ne 0 ]; then 39 tst_brkm TBROK "no iptables support in kenrel." 40 fi 41 fi 42 43 tst_resm TINFO "INIT: Flushing all rules." 44 iptables -F -t filter > tst_iptables.out 2>&1 45 iptables -F -t nat > tst_iptables.out 2>&1 46 iptables -F -t mangle > tst_iptables.out 2>&1 47} 48 49cleanup() 50{ 51 lsmod | grep "ip_tables" > tst_iptables.out 2>&1 52 if [ $? -eq 0 ]; then 53 iptables -F -t filter > tst_iptables.out 2>&1 54 iptables -F -t nat > tst_iptables.out 2>&1 55 iptables -F -t mangle > tst_iptables.out 2>&1 56 rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \ 57 iptable_mangle iptable_nat ip_conntrack \ 58 iptable_filter ip_tables nf_nat_ipv4 nf_nat \ 59 nf_log_ipv4 nf_log_common nf_reject_ipv4 \ 60 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \ 61 > tst_iptables.out 2>&1 62 fi 63 tst_rmdir 64} 65 66test01() 67{ 68 local chaincnt=0 69 70 local cmd="iptables -L -t filter" 71 tst_resm TINFO "$cmd will list all rules in table filter." 72 $cmd > tst_iptables.out 2>&1 73 if [ $? -ne 0 ]; then 74 tst_resm TFAIL "$cmd failed to list rules." 75 cat tst_iptables.out 76 return 77 else 78 chaincnt=$(grep -c Chain tst_iptables.out) 79 if [ $chaincnt -lt 3 ]; then 80 tst_resm TFAIL "$cmd failed to list rules." 81 cat tst_iptables.out 82 return 83 else 84 tst_resm TINFO "$cmd lists rules." 85 fi 86 fi 87 88 local cmd="iptables -L -t nat" 89 tst_resm TINFO "$cmd will list all rules in table nat." 90 $cmd > tst_iptables.out 2>&1 91 if [ $? -ne 0 ]; then 92 tst_resm TFAIL "$cmd failed to list rules." 93 cat tst_iptables.out 94 return 95 else 96 chaincnt=$(grep -c Chain tst_iptables.out) 97 if [ $chaincnt -lt 3 ]; then 98 tst_resm TFAIL "$cmd failed to list rules." 99 cat tst_iptables.out 100 return 101 else 102 tst_resm TINFO "$cmd lists rules." 103 fi 104 fi 105 106 local cmd="iptables -L -t mangle" 107 tst_resm TINFO "$cmd will list all rules in table mangle." 108 $cmd > tst_iptables.out 2>&1 109 if [ $? -ne 0 ]; then 110 tst_resm TFAIL "$cmd failed to list rules." 111 cat tst_iptables.out 112 return 113 else 114 chaincnt=$(grep -c Chain tst_iptables.out) 115 if [ $chaincnt -lt 5 ]; then 116 tst_resm TFAIL "$cmd failed to list rules." 117 cat tst_iptables.out 118 else 119 tst_resm TINFO "$cmd lists rules." 120 fi 121 fi 122 123 tst_resm TPASS "iptables -L lists rules." 124} 125 126test02() 127{ 128 tst_resm TINFO "Use iptables to DROP packets from particular IP" 129 tst_resm TINFO "Rule to block icmp from 127.0.0.1" 130 131 iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1 132 if [ $? -ne 0 ]; then 133 tst_resm TFAIL "iptables command failed to append new rule." 134 cat tst_iptables.out 135 return 136 fi 137 138 tst_resm TINFO "Pinging 127.0.0.1" 139 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 140 if [ $? -ne 0 ]; then 141 grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 142 if [ $? -ne 0 ]; then 143 tst_resm TFAIL \ 144 "iptables did not block packets from loopback" 145 cat tst_iptables.err 146 return 147 else 148 tst_resm TINFO "Ping 127.0.0.1 not successful." 149 fi 150 else 151 tst_resm TFAIL "iptables did not block icmp from 127.0.0.1" 152 cat tst_iptables.out 153 return 154 fi 155 156 tst_resm TINFO "Deleting icmp DROP from 127.0.0.1 rule." 157 iptables -D INPUT 1 > tst_iptables.out 2>&1 158 if [ $? -ne 0 ]; then 159 tst_resm TFAIL "iptables did not remove the rule." 160 cat tst_iptables.out 161 return 162 fi 163 tst_resm TINFO "Pinging 127.0.0.1 again" 164 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 165 if [ $? -ne 0 ]; then 166 tst_resm TFAIL "iptables blocking loopback. This is expected" \ 167 "behaviour on certain distributions where" \ 168 "enabling firewall drops all packets by default." 169 cat tst_iptables.out 170 return 171 fi 172 tst_resm TINFO "Ping succsess" 173 tst_resm TPASS "iptables can DROP packets from particular IP." 174} 175 176test03() 177{ 178 tst_resm TINFO "Use iptables to REJECT ping request." 179 tst_resm TINFO "Rule to reject ping request." 180 181 iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \ 182 REJECT > tst_iptables.out 2>&1 183 if [ $? -ne 0 ]; then 184 tst_resm TFAIL "iptables command failed to append new rule." 185 cat tst_iptables.out 186 return 187 fi 188 189 tst_resm TINFO "Pinging 127.0.0.1" 190 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 191 if [ $? -ne 0 ]; then 192 grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1 193 if [ $? -ne 0 ]; then 194 tst_resm TFAIL "iptables did not block ping request." 195 cat tst_iptables.err 196 return 197 else 198 tst_resm TINFO "Ping 127.0.0.1 not successful." 199 fi 200 else 201 tst_resm TFAIL "iptables did not reject ping request." 202 cat tst_iptables.out 203 return 204 fi 205 206 tst_resm TINFO "Deleting icmp request REJECT rule." 207 iptables -D INPUT 1 > tst_iptables.out 2>&1 208 if [ $? -ne 0 ]; then 209 tst_resm TFAIL "iptables did not remove the rule." 210 cat tst_iptables.out 211 return 212 fi 213 tst_resm TINFO "Pinging 127.0.0.1 again" 214 ping -c 2 127.0.0.1 > tst_iptables.out 2>&1 215 if [ $? -ne 0 ]; then 216 tst_resm TFAIL "iptables blocking ping requests. This is" \ 217 "expected behaviour on certain distributions" \ 218 "where enabling firewall drops all packets by" \ 219 "default." 220 cat tst_iptables.out 221 return 222 fi 223 tst_resm TINFO "Ping succsess" 224 tst_resm TPASS "iptables can REJECT ping requests." 225} 226 227test04() 228{ 229 local dport=45886 230 local logprefix="$TCID-$(date +%m%d%H%M%S):" 231 232 tst_resm TINFO "Use iptables to log packets to particular port." 233 tst_resm TINFO "Rule to log tcp packets to particular port." 234 235 iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \ 236 --log-prefix "$logprefix" > tst_iptables.out 2>&1 237 if [ $? -ne 0 ]; then 238 tst_resm TFAIL "iptables command failed to append new rule." 239 cat tst_iptables.out 240 return 241 fi 242 243 tst_resm TINFO "telnet 127.0.0.1 $dport" 244 telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 245 if [ $? -ne 0 ]; then 246 sleep 2 247 dmesg | grep "$logprefix" > tst_iptables.err 2>&1 248 if [ $? -ne 0 ]; then 249 tst_resm TFAIL \ 250 "iptables did not log packets to port $dport" 251 cat tst_iptables.err 252 return 253 else 254 tst_resm TINFO "Packets to port $dport logged." 255 fi 256 else 257 tst_resm TFAIL "telnet to 127.0.0.1 $dport should fail." 258 cat tst_iptables.out 259 return 260 fi 261 262 tst_resm TINFO "Deleting the rule to log." 263 iptables -D INPUT 1 > tst_iptables.out 2>&1 264 if [ $? -ne 0 ]; then 265 tst_resm TFAIL "iptables did not remove the rule." 266 cat tst_iptables.out 267 return 268 fi 269 tst_resm TINFO "iptables logging succsess" 270 tst_resm TPASS "iptables can log packets to particular port." 271} 272 273test05() 274{ 275 local dport=0 276 local logprefix="$TCID-$(date +%m%d%H%M%S):" 277 278 tst_resm TINFO "Use iptables to log packets to multiple ports." 279 tst_resm TINFO "Rule to log tcp packets to port 45801 - 45803." 280 iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \ 281 --log-prefix "$logprefix" > tst_iptables.out 2>&1 282 if [ $? -ne 0 ]; then 283 tst_resm TFAIL "iptables command failed to append new rule." 284 cat tst_iptables.out 285 return 286 fi 287 288 tst_resm TINFO "Rule to log tcp packets to port 45804 - 45806." 289 iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \ 290 45804,45806,45805 -j LOG --log-prefix "$logprefix" \ 291 > tst_iptables.out 2>&1 292 if [ $? -ne 0 ]; then 293 tst_resm TFAIL "iptables command failed to append new rule." 294 cat tst_iptables.out 295 return 296 fi 297 298 for dport in 45801 45802 45803 45804 45805 45806; do 299 tst_resm TINFO "telnet 127.0.0.1 $dport" 300 telnet 127.0.0.1 $dport > tst_iptables.out 2>&1 301 if [ $? -ne 0 ]; then 302 sleep 2 303 dmesg | grep "$logprefix" | grep "=$dport " \ 304 > tst_iptables.err 2>&1 305 if [ $? -ne 0 ]; then 306 tst_resm TFAIL "iptables did not log packets" \ 307 "to port $dport" 308 cat tst_iptables.err 309 return 310 else 311 tst_resm TINFO "Packets to port $dport logged." 312 fi 313 else 314 tst_res TFAIL "telnet to 127.0.0.1 $dport should fail." 315 cat tst_iptables.out 316 return 317 fi 318 done 319 320 tst_resm TINFO "Flushing all rules." 321 iptables -F > tst_iptables.out 2>&1 322 if [ $? -ne 0 ]; then 323 tst_resm TFAIL "iptables did not flush all rules." 324 cat tst_iptables.out 325 return 326 fi 327 tst_resm TINFO "iptables logging succsess" 328 tst_resm TPASS "iptables can log packets to multiple ports." 329} 330 331test06() 332{ 333 local logcnt=0 334 local logprefix="$TCID-$(date +%m%d%H%M%S):" 335 336 tst_resm TINFO "Use iptables to log ping request with limited rate." 337 tst_resm TINFO "Rule to log ping request." 338 339 iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \ 340 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1 341 if [ $? -ne 0 ]; then 342 tst_resm TFAIL "iptables command failed to append new rule." 343 cat tst_iptables.out 344 return 345 fi 346 347 tst_resm TINFO "ping 127.0.0.1" 348 ping -c 10 127.0.0.1 > tst_iptables.out 2>&1 349 if [ $? -eq 0 ]; then 350 sleep 2 351 logcnt=$(dmesg | grep -c "$logprefix") 352 if [ $logcnt -ne 5 ]; then 353 tst_resm TFAIL "iptables did not log packets with" \ 354 "limited rate." 355 cat tst_iptables.out 356 return 357 else 358 tst_resm TINFO "ping requests logged with limited rate." 359 fi 360 else 361 tst_resm TFAIL "ping to 127.0.0.1 failed. This is expected" \ 362 "behaviour on certain distributions where" \ 363 "enabling firewall drops all packets by default." 364 cat tst_iptables.out 365 return 366 fi 367 368 tst_resm TINFO "Deleting the rule to log." 369 iptables -D INPUT 1 > tst_iptables.out 2>&1 370 if [ $? -ne 0 ]; then 371 tst_resm TFAIL "iptables did not remove the rule." 372 cat tst_iptables.out 373 return 374 fi 375 tst_resm TINFO "iptables limited logging succsess" 376 tst_resm TPASS "iptables can log packets with limited rate." 377} 378 379init 380TST_CLEANUP=cleanup 381 382test01 383test02 384test03 385test04 386test05 387test06 388 389tst_exit 390