From 2f0e5863f4dd8f8f2f5818664c056d2ccf8b58d4 Mon Sep 17 00:00:00 2001 From: Christoph Galuschka Date: Dec 22 2011 11:31:07 +0000 Subject: added some functional tests for iptables (adding and removing rules) --- diff --git a/tests/p_iptables/iptables_add-remove_test.sh b/tests/p_iptables/iptables_add-remove_test.sh new file mode 100755 index 0000000..ce804fa --- /dev/null +++ b/tests/p_iptables/iptables_add-remove_test.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# Author: Christoph Galuschka + +t_Log "Running $0 - verify iptables can insert and delete rules" +ACL='INPUT -s 1.2.3.4/32 -d 5.6.7.8/32 -p tcp -m tcp --dport 22 -j ACCEPT' +FILE=/var/tmp/iptables_acl + +# verify we are starting with default firewall +/etc/init.d/iptables restart > /dev/null + +iptables -I ${ACL} +iptables-save > ${FILE} + +# The ACL should be exactly at line 6 after "OUTPUT ACCEPT" +head -6 ${FILE} |tail -1 | grep -q "${ACL}" +add=$? + +# removing ACL again +iptables -D ${ACL} +iptables-save > ${FILE} + +# ACL should not be found +grep -cq "${ACL}" ${FILE} +del=$? + +if [ $add==0 ] && [ $del==1 ] + then + ret_val=0 +fi + +t_CheckExitStatus $ret_val + +# Cleaning up +/bin/rm ${FILE} diff --git a/tests/p_iptables/iptables_function-check_test.sh b/tests/p_iptables/iptables_function-check_test.sh new file mode 100755 index 0000000..023b550 --- /dev/null +++ b/tests/p_iptables/iptables_function-check_test.sh @@ -0,0 +1,37 @@ +#!/bin/sh +# Author: Christoph Galuschka +# Athmane Madjoudj + +t_Log "Running $0 - iptables functional check - deny ping on loopback" + +ACL='INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p icmp -m icmp -j REJECT' +COUNT='4' +DEADTIME='1' + +# ensure we have the default iptables-setting +/etc/init.d/iptables restart > /dev/null + +# Verify it worked previously +ping -q -c $COUNT -i 0.25 127.0.0.1 |grep -qc "${COUNT} received" + +if [ $? == 1 ] + then + t_Log "ping to loopback failed prior to test, this should not happen" + t_CheckExitStatus 1 +fi + +# Applying ACL +iptables -I ${ACL} + +ping -q -c $COUNT -i 0.25 -w $DEADTIME 127.0.0.1 +if [ $? == 1 ] + then + t_Log "iptables REJECT works fine" + ret_val=0 +fi + +# cleanup +/etc/init.d/iptables restart > /dev/null + +t_CheckExitStatus $ret_val +