1#!/bin/sh
2################################################################################
3##                                                                            ##
4## Copyright (c) International Business Machines  Corp., 2001                 ##
5##                                                                            ##
6## This program is free software;  you can redistribute it and#or modify      ##
7## it under the terms of the GNU General Public License as published by       ##
8## the Free Software Foundation; either version 2 of the License, or          ##
9## (at your option) any later version.                                        ##
10##                                                                            ##
11## This program is distributed in the hope that it will be useful, but        ##
12## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
13## or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License   ##
14## for more details.                                                          ##
15##                                                                            ##
16## You should have received a copy of the GNU General Public License          ##
17## along with this program;  if not, write to the Free Software Foundation,   ##
18## Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA           ##
19##                                                                            ##
20################################################################################
21#  Author:	Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com>
22#				       <hubertNOSPAAAM@symbio.com.tw>
23
24export TCID="iptables"
25export TST_TOTAL=6
26
27. test.sh
28
29init()
30{
31	tst_tmpdir
32
33	tst_resm TINFO "INIT: Inititalizing tests."
34
35	modprobe ip_tables
36	if [ $? -ne 0 ]; then
37		iptables -L > tst_iptables.out 2>&1
38		if [ $? -ne 0 ]; then
39			tst_brkm TBROK "no iptables support in kenrel."
40		fi
41	fi
42
43	tst_resm TINFO "INIT: Flushing all rules."
44	iptables -F -t filter > tst_iptables.out 2>&1
45	iptables -F -t nat > tst_iptables.out 2>&1
46	iptables -F -t mangle > tst_iptables.out 2>&1
47}
48
49cleanup()
50{
51	lsmod | grep "ip_tables" > tst_iptables.out 2>&1
52	if [ $? -eq 0 ]; then
53		iptables -F -t filter > tst_iptables.out 2>&1
54		iptables -F -t nat > tst_iptables.out 2>&1
55		iptables -F -t mangle > tst_iptables.out 2>&1
56		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
57			 iptable_mangle iptable_nat ip_conntrack \
58			 iptable_filter ip_tables nf_nat_ipv4 nf_nat \
59			 nf_log_ipv4 nf_log_common nf_reject_ipv4 \
60			 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \
61			 > tst_iptables.out 2>&1
62	fi
63	tst_rmdir
64}
65
66test01()
67{
68	local chaincnt=0
69
70	local cmd="iptables -L -t filter"
71	tst_resm TINFO "$cmd will list all rules in table filter."
72	$cmd > tst_iptables.out 2>&1
73	if [ $? -ne 0 ]; then
74		tst_resm TFAIL "$cmd failed to list rules."
75		cat tst_iptables.out
76		return
77	else
78		chaincnt=$(grep -c Chain tst_iptables.out)
79		if [ $chaincnt -lt 3 ]; then
80			tst_resm TFAIL "$cmd failed to list rules."
81			cat tst_iptables.out
82			return
83		else
84			tst_resm TINFO "$cmd lists rules."
85		fi
86	fi
87
88	local cmd="iptables -L -t nat"
89	tst_resm TINFO "$cmd will list all rules in table nat."
90	$cmd > tst_iptables.out 2>&1
91	if [ $? -ne 0 ]; then
92		tst_resm TFAIL "$cmd failed to list rules."
93		cat tst_iptables.out
94		return
95	else
96		chaincnt=$(grep -c Chain tst_iptables.out)
97		if [ $chaincnt -lt 3 ]; then
98			tst_resm TFAIL "$cmd failed to list rules."
99			cat tst_iptables.out
100			return
101		else
102			tst_resm TINFO "$cmd lists rules."
103		fi
104	fi
105
106	local cmd="iptables -L -t mangle"
107	tst_resm TINFO "$cmd will list all rules in table mangle."
108	$cmd > tst_iptables.out 2>&1
109	if [ $? -ne 0 ]; then
110		tst_resm TFAIL "$cmd failed to list rules."
111		cat tst_iptables.out
112		return
113	else
114		chaincnt=$(grep -c Chain tst_iptables.out)
115		if [ $chaincnt -lt 5 ]; then
116			tst_resm TFAIL "$cmd failed to list rules."
117			cat tst_iptables.out
118		else
119			tst_resm TINFO "$cmd lists rules."
120		fi
121	fi
122
123	tst_resm TPASS "iptables -L lists rules."
124}
125
126test02()
127{
128	tst_resm TINFO "Use iptables to DROP packets from particular IP"
129	tst_resm TINFO "Rule to block icmp from 127.0.0.1"
130
131	iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1
132	if [ $? -ne 0 ]; then
133		tst_resm TFAIL "iptables command failed to append new rule."
134		cat tst_iptables.out
135		return
136	fi
137
138	tst_resm TINFO "Pinging 127.0.0.1"
139	ping -c 2 127.0.0.1 > tst_iptables.out 2>&1
140	if [ $? -ne 0 ]; then
141		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
142		if [ $? -ne 0 ]; then
143			tst_resm TFAIL \
144				 "iptables did not block packets from loopback"
145			cat tst_iptables.err
146			return
147		else
148			tst_resm TINFO "Ping 127.0.0.1 not successful."
149		fi
150	else
151		tst_resm TFAIL "iptables did not block icmp from 127.0.0.1"
152		cat tst_iptables.out
153		return
154	fi
155
156	tst_resm TINFO "Deleting icmp DROP from 127.0.0.1 rule."
157	iptables -D INPUT 1 > tst_iptables.out 2>&1
158	if [ $? -ne 0 ]; then
159		tst_resm TFAIL "iptables did not remove the rule."
160		cat tst_iptables.out
161		return
162	fi
163	tst_resm TINFO "Pinging 127.0.0.1 again"
164	ping -c 2 127.0.0.1 > tst_iptables.out 2>&1
165	if [ $? -ne 0 ]; then
166		tst_resm TFAIL "iptables blocking loopback. This is expected" \
167			       "behaviour on certain distributions where" \
168			       "enabling firewall drops all packets by default."
169		cat tst_iptables.out
170		return
171	fi
172	tst_resm TINFO "Ping succsess"
173	tst_resm TPASS "iptables can DROP packets from particular IP."
174}
175
176test03()
177{
178	tst_resm TINFO "Use iptables to REJECT ping request."
179	tst_resm TINFO "Rule to reject ping request."
180
181	iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \
182		 REJECT > tst_iptables.out 2>&1
183	if [ $? -ne 0 ]; then
184		tst_resm TFAIL "iptables command failed to append new rule."
185		cat tst_iptables.out
186		return
187	fi
188
189	tst_resm TINFO "Pinging 127.0.0.1"
190	ping -c 2 127.0.0.1 > tst_iptables.out 2>&1
191	if [ $? -ne 0 ]; then
192		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
193		if [ $? -ne 0 ]; then
194			tst_resm TFAIL "iptables did not block ping request."
195			cat tst_iptables.err
196			return
197		else
198			tst_resm TINFO "Ping 127.0.0.1 not successful."
199		fi
200	else
201		tst_resm TFAIL "iptables did not reject ping request."
202		cat tst_iptables.out
203		return
204	fi
205
206	tst_resm TINFO "Deleting icmp request REJECT rule."
207	iptables -D INPUT 1 > tst_iptables.out 2>&1
208	if [ $? -ne 0 ]; then
209		tst_resm TFAIL "iptables did not remove the rule."
210		cat tst_iptables.out
211		return
212	fi
213	tst_resm TINFO "Pinging 127.0.0.1 again"
214	ping -c 2 127.0.0.1 > tst_iptables.out 2>&1
215	if [ $? -ne 0 ]; then
216		tst_resm TFAIL "iptables blocking ping requests. This is" \
217			       "expected behaviour on certain distributions" \
218			       "where enabling firewall drops all packets by" \
219			       "default."
220		cat tst_iptables.out
221		return
222	fi
223	tst_resm TINFO "Ping succsess"
224	tst_resm TPASS "iptables can REJECT ping requests."
225}
226
227test04()
228{
229	local dport=45886
230	local logprefix="$TCID-$(date +%m%d%H%M%S):"
231
232	tst_resm TINFO "Use iptables to log packets to particular port."
233	tst_resm TINFO "Rule to log tcp packets to particular port."
234
235	iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \
236		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
237	if [ $? -ne 0 ]; then
238		tst_resm TFAIL "iptables command failed to append new rule."
239		cat tst_iptables.out
240		return
241	fi
242
243	tst_resm TINFO "telnet 127.0.0.1 $dport"
244	telnet 127.0.0.1 $dport > tst_iptables.out 2>&1
245	if [ $? -ne 0 ]; then
246		sleep 2
247		dmesg | grep "$logprefix" > tst_iptables.err 2>&1
248		if [ $? -ne 0 ]; then
249			tst_resm TFAIL \
250				 "iptables did not log packets to port $dport"
251			cat tst_iptables.err
252			return
253		else
254			tst_resm TINFO "Packets to port $dport logged."
255		fi
256	else
257		tst_resm TFAIL "telnet to 127.0.0.1 $dport should fail."
258		cat tst_iptables.out
259		return
260	fi
261
262	tst_resm TINFO "Deleting the rule to log."
263	iptables -D INPUT 1 > tst_iptables.out 2>&1
264	if [ $? -ne 0 ]; then
265		tst_resm TFAIL "iptables did not remove the rule."
266		cat tst_iptables.out
267		return
268	fi
269	tst_resm TINFO "iptables logging succsess"
270	tst_resm TPASS "iptables can log packets to particular port."
271}
272
273test05()
274{
275	local dport=0
276	local logprefix="$TCID-$(date +%m%d%H%M%S):"
277
278	tst_resm TINFO "Use iptables to log packets to multiple ports."
279	tst_resm TINFO "Rule to log tcp packets to port 45801 - 45803."
280	iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \
281		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
282	if [ $? -ne 0 ]; then
283		tst_resm TFAIL "iptables command failed to append new rule."
284		cat tst_iptables.out
285		return
286	fi
287
288	tst_resm TINFO "Rule to log tcp packets to port 45804 - 45806."
289	iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \
290		 45804,45806,45805 -j LOG --log-prefix "$logprefix" \
291		 > tst_iptables.out 2>&1
292	if [ $? -ne 0 ]; then
293		tst_resm TFAIL "iptables command failed to append new rule."
294		cat tst_iptables.out
295		return
296	fi
297
298	for dport in 45801 45802 45803 45804 45805 45806; do
299		tst_resm TINFO "telnet 127.0.0.1 $dport"
300		telnet 127.0.0.1 $dport > tst_iptables.out 2>&1
301		if [ $? -ne 0 ]; then
302			sleep 2
303			dmesg | grep "$logprefix" | grep "=$dport " \
304				> tst_iptables.err 2>&1
305			if [ $? -ne 0 ]; then
306				tst_resm TFAIL "iptables did not log packets" \
307					       "to port $dport"
308				cat tst_iptables.err
309				return
310			else
311				tst_resm TINFO "Packets to port $dport logged."
312			fi
313		else
314			tst_res TFAIL "telnet to 127.0.0.1 $dport should fail."
315			cat tst_iptables.out
316			return
317		fi
318	done
319
320	tst_resm TINFO "Flushing all rules."
321	iptables -F > tst_iptables.out 2>&1
322	if [ $? -ne 0 ]; then
323		tst_resm TFAIL "iptables did not flush all rules."
324		cat tst_iptables.out
325		return
326	fi
327	tst_resm TINFO "iptables logging succsess"
328	tst_resm TPASS "iptables can log packets to multiple ports."
329}
330
331test06()
332{
333	local logcnt=0
334	local logprefix="$TCID-$(date +%m%d%H%M%S):"
335
336	tst_resm TINFO "Use iptables to log ping request with limited rate."
337	tst_resm TINFO "Rule to log ping request."
338
339	iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \
340		 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1
341	if [ $? -ne 0 ]; then
342		tst_resm TFAIL "iptables command failed to append new rule."
343		cat tst_iptables.out
344		return
345	fi
346
347	tst_resm TINFO "ping 127.0.0.1"
348	ping -c 10 127.0.0.1 > tst_iptables.out 2>&1
349	if [ $? -eq 0 ]; then
350		sleep 2
351		logcnt=$(dmesg | grep -c "$logprefix")
352		if [ $logcnt -ne 5 ]; then
353			tst_resm TFAIL "iptables did not log packets with" \
354				       "limited rate."
355			cat tst_iptables.out
356			return
357		else
358			tst_resm TINFO "ping requests logged with limited rate."
359		fi
360	else
361		tst_resm TFAIL "ping to 127.0.0.1 failed. This is expected" \
362			       "behaviour on certain distributions where" \
363			       "enabling firewall drops all packets by default."
364		cat tst_iptables.out
365		return
366	fi
367
368	tst_resm TINFO "Deleting the rule to log."
369	iptables -D INPUT 1 > tst_iptables.out 2>&1
370	if [ $? -ne 0 ]; then
371		tst_resm TFAIL "iptables did not remove the rule."
372		cat tst_iptables.out
373		return
374	fi
375	tst_resm TINFO "iptables limited logging succsess"
376	tst_resm TPASS "iptables can log packets with limited rate."
377}
378
379init
380TST_CLEANUP=cleanup
381
382test01
383test02
384test03
385test04
386test05
387test06
388
389tst_exit
390