Skip to content

Commit a058d30

Browse files
mboelenmboelen
authored
Merge pull request #1560 from nser77/nser77-patch-8
FIRE-4508 - Enhancements
2 parents 21b85f2 + b6bbbf4 commit a058d30

File tree

1 file changed

+80
-34
lines changed

1 file changed

+80
-34
lines changed

include/tests_firewalls

Lines changed: 80 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -109,43 +109,89 @@
109109
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains"
110110
if [ ${SKIPTEST} -eq 0 ]; then
111111
Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
112-
TABLES="filter nat mangle raw security"
113-
for TABLE in ${TABLES}; do
114-
LogText "Test: gathering information from table ${TABLE}"
115-
FIND="$FIND"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
116-
done
117-
118-
echo "${FIND}" | sort | uniq | while read -r line; do
119-
table=$(echo ${line} | ${AWKBINARY} '{ print $1 }')
120-
chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }')
121-
policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }')
122-
LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}."
123-
LogText "Result: ${policy}"
124-
125-
if [ "${table}" = "filter" ]; then
126-
if [ "${chainname}" = "INPUT" ]; then
127-
case ${policy} in
128-
"ACCEPT")
129-
LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
130-
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW
131-
#ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
132-
AddHP 1 3
133-
;;
134-
"DROP")
135-
LogText "Result: Found DROP for ${chainname} (table: ${table})"
136-
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "DROP" --color GREEN
137-
AddHP 3 3
138-
;;
139-
*)
140-
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW
141-
LogText "Result: Unknown policy: ${policy}"
142-
#ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy"
143-
;;
144-
esac
112+
IPTABLES_TABLES="filter nat mangle raw security"
113+
for IPTABLES_TABLE in ${IPTABLES_TABLES}
114+
do
115+
${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero |
116+
{
117+
IPTABLES_OUTPUT_QUEUE=""
118+
while IFS="$(printf '\n')" read -r IPTABLES_LINES
119+
do
120+
set -- ${IPTABLES_LINES}
121+
while [ $# -gt 0 ]
122+
do
123+
if [ "${1}" = "-P" ]
124+
then
125+
IPTABLES_CHAIN="${2}"
126+
IPTABLES_TARGET="${3}"
127+
shift 3
128+
elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ]
129+
then
130+
IPTABLES_CHAIN="${2}"
131+
shift 2
132+
elif [ "${1}" = "-j" ]
133+
then
134+
IPTABLES_TARGET="${2}"
135+
shift
136+
else
137+
shift
138+
fi
139+
done
140+
# logics
141+
if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ]
142+
then
143+
if [ "${IPTABLES_CHAIN}" = "INPUT" ]
144+
then
145+
if [ "${IPTABLES_TARGET}" = "ACCEPT" ]
146+
then
147+
IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW"
148+
AddHP 1 3
149+
elif [ "${IPTABLES_TARGET}" = "DROP" ]
150+
then
151+
IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN"
152+
AddHP 3 3
153+
fi
154+
fi
155+
if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ]
156+
then
157+
if [ "${IPTABLES_TARGET}" = "NFQUEUE" ]
158+
then
159+
IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED"
160+
AddHP 0 3
161+
fi
162+
fi
163+
fi
164+
done
165+
# resume
166+
if [ ! "${SORTBINARY}" = "" ]
167+
then
168+
IPTABLES_OUTPUT="$( echo "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )"
169+
else
170+
IPTABLES_OUTPUT="${IPTABLES_OUTPUT_QUEUE}"
145171
fi
146-
fi
172+
echo "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE
173+
do
174+
if [ ! "$IPTABLES_OUTPUT_LINE" = "" ]
175+
then
176+
set -- ${IPTABLES_OUTPUT_LINE}
177+
while [ $# -gt 0 ]
178+
do
179+
LogText "Result: Found ${3} for ${2} (table: ${1})"
180+
Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}"
181+
if [ "${3}" = "NFQUEUE" ]
182+
then
183+
ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})"
184+
fi
185+
shift 4
186+
done
187+
fi
188+
done
189+
}
190+
unset IPTABLES_TABLE
147191
done
192+
unset IPTABLES_TABLES
148193
fi
194+
unset PREQS_MET
149195
#
150196
#################################################################################
151197
#

0 commit comments

Comments
 (0)