summaryrefslogtreecommitdiffstats
path: root/tests/iptables.sh
blob: bca3253c6939f2f87468feb990aece528ba69715 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/bin/sh

# set -x
set -e

ipset=${IPSET_BIN:-../src/ipset}

# We play with the following networks:
# inet: 10.255.255.0/24
# 	10.255.255.0-31 in ip1
# 	10.255.255.32-63 in ip2
# 	rest in ipport
# inet6: 1002:1002:1002:1002::/64
#	1002:1002:1002:1002::1 in ip1
#	1002:1002:1002:1002::32 in ip2
#	rest in ipport

case "$1" in
inet)
	cmd=iptables
	family=
	NET=10.255.255.0/24
	IP1=10.255.255.1
	IP2=10.255.255.32
	;;
inet6)
	cmd=ip6tables
	family="family inet6"
	NET=1002:1002:1002:1002::/64
	IP1=1002:1002:1002:1002::1
	IP2=1002:1002:1002:1002::32
	;;
*)
	echo "Usage: $0 inet|inet6 start|stop"
	exit 1
	;;
esac

case "$2" in
start)
	$ipset n ip1 hash:ip $family 2>/dev/null
	$ipset a ip1 $IP1 2>/dev/null
	$ipset n ip2 hash:ip $family 2>/dev/null
	$ipset a ip2 $IP2 2>/dev/null
	$ipset n ipport hash:ip,port $family 2>/dev/null
	$ipset n list list:set 2>/dev/null
	$ipset a list ipport 2>/dev/null
	$ipset a list ip1 2>/dev/null
	$cmd -A INPUT ! -s $NET -j ACCEPT
	$cmd -A INPUT -m set ! --match-set ip1 src \
		      -m set ! --match-set ip2 src \
		      -j SET --add-set ipport src,src
	$cmd -A INPUT -m set --match-set ip1 src \
		      -j LOG --log-prefix "in set ip1: "
	$cmd -A INPUT -m set --match-set ip2 src \
		      -j LOG --log-prefix "in set ip2: "
	$cmd -A INPUT -m set --match-set ipport src,src \
		      -j LOG --log-prefix "in set ipport: "
	$cmd -A INPUT -m set --match-set list src,src \
		      -j LOG --log-prefix "in set list: "
	$cmd -A OUTPUT -d $NET -j DROP
	cat /dev/null > .foo.err
	cat /dev/null > /var/log/kern.log
	;;
start_flags)
	$ipset n test hash:net $family 2>/dev/null
	$ipset a test 10.0.0.0/16 2>/dev/null
	$ipset a test 10.0.0.0/24 nomatch 2>/dev/null
	$ipset a test 10.0.0.1 2>/dev/null
	$cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
	$cmd -A INPUT -m set --match-set test src \
		      -j LOG --log-prefix "in set test: "
	$cmd -A INPUT -m set --match-set test src --return-nomatch \
		      -j LOG --log-prefix "in set test-nomatch: "
	$cmd -A INPUT -s 10.0.0.0/16 -j DROP
	cat /dev/null > .foo.err
	cat /dev/null > /var/log/kern.log
	;;
start_flags_reversed)
	$ipset n test hash:net $family 2>/dev/null
	$ipset a test 10.0.0.0/16 2>/dev/null
	$ipset a test 10.0.0.0/24 nomatch 2>/dev/null
	$ipset a test 10.0.0.1 2>/dev/null
	$cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
	$cmd -A INPUT -m set --match-set test src --return-nomatch \
		      -j LOG --log-prefix "in set test-nomatch: "
	$cmd -A INPUT -m set --match-set test src \
		      -j LOG --log-prefix "in set test: "
	$cmd -A INPUT -s 10.0.0.0/16 -j DROP
	cat /dev/null > .foo.err
	cat /dev/null > /var/log/kern.log
	;;
del)
	$cmd -F INPUT
	$cmd -A INPUT -s $NET -j SET --del-set ipport src,src
	;;
add)
	$ipset n test hash:net $family 2>/dev/null
	$cmd -F INPUT
	$cmd -A INPUT -s $NET -j SET --add-set test src
	;;
timeout)
	$ipset n test hash:ip,port timeout 2
	$cmd -A INPUT -s $NET -j SET --add-set test src,src --timeout 10 --exist
	;;
mangle)
	$ipset n test hash:net $family skbinfo 2>/dev/null
	$ipset a test 10.255.0.0/16 skbmark 0x1234 2>/dev/null
	$cmd -t mangle -A INPUT -j SET --map-set test src --map-mark
	$cmd -t mangle -A INPUT -m mark --mark 0x1234 -j LOG --log-prefix "in set mark: "
	$cmd -t mangle -A INPUT -s 10.255.0.0/16 -j DROP
	;;
netiface)
	$ipset n test hash:net,iface
	$ipset a test 0.0.0.0/0,eth0
	$cmd -A OUTPUT -m set --match-set test dst,dst -j LOG --log-prefix "in set netiface: "
	$cmd -A OUTPUT -d 10.255.255.254 -j DROP
	;;
counter)
	$ipset n test hash:ip counters
	$ipset a test 10.255.255.64
	$cmd -A OUTPUT -m set --match-set test src --packets-gt 1 ! --update-counters -j DROP
	$cmd -A OUTPUT -m set --match-set test src -j DROP
	./sendip.sh -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1
	./sendip.sh -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1
	./sendip.sh -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1
	;;
stop)
	$cmd -F
	$cmd -X
	$cmd -F -t mangle
	$cmd -X -t mangle
	$ipset -F 2>/dev/null
	$ipset -X 2>/dev/null
	;;
*)
	echo "Usage: $0 start|stop"
	exit 1
	;;
esac