From e9c2a1ad3f0afe8bc6561b9f70d7597beadb91a2 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 8 Oct 2024 01:36:39 +0200 Subject: [PATCH 01/17] Update tests_firewalls --- include/tests_firewalls | 76 ++++++++++++++++++++++++----------------- 1 file changed, 44 insertions(+), 32 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 803de69b..315be1fc 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -110,42 +110,54 @@ if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN TABLES="filter nat mangle raw security" - for TABLE in ${TABLES}; do - LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') - done - - echo "${FIND}" | sort | uniq | while read -r line; do - table=$(echo ${line} | ${AWKBINARY} '{ print $1 }') - chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }') - policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }') - LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}." - LogText "Result: ${policy}" - + for table in ${TABLES}; do + chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING" if [ "${table}" = "filter" ]; then - if [ "${chainname}" = "INPUT" ]; then - case ${policy} in - "ACCEPT") - LogText "Result: Found ACCEPT for ${chainname} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW - #ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})" - AddHP 1 3 - ;; - "DROP") - LogText "Result: Found DROP for ${chainname} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "DROP" --color GREEN - AddHP 3 3 - ;; - *) - Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW - LogText "Result: Unknown policy: ${policy}" - #ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy" - ;; - esac - fi + chains="INPUT FORWARD OUTPUT" fi + for chain in ${chains}; do + ${IPTABLESBINARY} -t "${table}" -S "${chain}" | while read -r line; do + readarray -d" " -t array <<< ${line} + c=0 + for i in ${array[@]}; do + if [ "${i}" = "-j" ]; then + let index=c+1 + target="${array[${index}]}" + fi + if [ "${i}" = "-d" ]; then + let index=c+1 + destination="${array[${index}]}" + fi + if [ "${i}" = "-s" ]; then + let index=c+1 + source="${array[${index}]}" + fi + let c++ + done + + # logics + if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then + LogText "Result: Found ACCEPT for ${chainname} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW + AddHP 1 3 + fi + if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then + LogText "Result: Found DROP for ${chainname} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN + AddHP 3 3 + fi + if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then + LogText "Result: Found DROP for ${chainname} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, chain ${chain})" --result "DROP" --color RED + ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" + AddHP 0 3 + fi + done + done done + fi + # ################################################################################# # From 8ca5b83584f04e2ceb8ba9f193064f0ae9d4737c Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:29:48 +0200 Subject: [PATCH 02/17] Update tests_firewalls --- include/tests_firewalls | 47 ++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 315be1fc..614d0202 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -116,48 +116,47 @@ chains="INPUT FORWARD OUTPUT" fi for chain in ${chains}; do - ${IPTABLESBINARY} -t "${table}" -S "${chain}" | while read -r line; do - readarray -d" " -t array <<< ${line} - c=0 - for i in ${array[@]}; do - if [ "${i}" = "-j" ]; then - let index=c+1 - target="${array[${index}]}" + iptables -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do + set -- ${line} + while [ $# -gt 0 ]; do + if [ "${1}" = "-P" ]; then + target="${3}" + shift 3 + elif [ "${1}" = "-j" ]; then + target="${2}" + shift + elif [ "${1}" = "-d" ]; then + dst="${2}" + shift + elif [ "${1}" = "-s" ]; then + src="${2}" + shift + else + shift fi - if [ "${i}" = "-d" ]; then - let index=c+1 - destination="${array[${index}]}" - fi - if [ "${i}" = "-s" ]; then - let index=c+1 - source="${array[${index}]}" - fi - let c++ done # logics if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then - LogText "Result: Found ACCEPT for ${chainname} (table: ${table})" + LogText "Result: Found ACCEPT for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW AddHP 1 3 fi if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then - LogText "Result: Found DROP for ${chainname} (table: ${table})" + LogText "Result: Found DROP for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN AddHP 3 3 fi if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then - LogText "Result: Found DROP for ${chainname} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, chain ${chain})" --result "DROP" --color RED + LogText "Result: Found DROP for ${chain} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "NFQUEUE" --color RED ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" AddHP 0 3 fi done - done - done - + done + done fi - # ################################################################################# # From 13ced756cd86be2cfab0a79df443f2d332cde86e Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:59:24 +0200 Subject: [PATCH 03/17] Update tests_firewalls --- include/tests_firewalls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 614d0202..e589af2b 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -116,7 +116,7 @@ chains="INPUT FORWARD OUTPUT" fi for chain in ${chains}; do - iptables -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do + ${IPTABLESBINARY} -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do set -- ${line} while [ $# -gt 0 ]; do if [ "${1}" = "-P" ]; then From d90413e243302a836326f46a0cf855e1a662a0d8 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 8 Oct 2024 12:02:07 +0200 Subject: [PATCH 04/17] Update tests_firewalls --- include/tests_firewalls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index e589af2b..e6dfafbb 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -138,18 +138,18 @@ # logics if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then - LogText "Result: Found ACCEPT for ${chain} (table: ${table})" + LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW AddHP 1 3 fi if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then - LogText "Result: Found DROP for ${chain} (table: ${table})" + LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN AddHP 3 3 fi if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then - LogText "Result: Found DROP for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "NFQUEUE" --color RED + LogText "Result: Found ${target} for ${chain} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color RED ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" AddHP 0 3 fi From 2d4ec42696b662001244f69d804a23c9d0631fa2 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:57:16 +0200 Subject: [PATCH 05/17] Update tests_firewalls --- include/tests_firewalls | 152 ++++++++++++++++++++++++++++------------ 1 file changed, 109 insertions(+), 43 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index e6dfafbb..a73d8fc3 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -109,53 +109,119 @@ Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN - TABLES="filter nat mangle raw security" - for table in ${TABLES}; do - chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING" - if [ "${table}" = "filter" ]; then - chains="INPUT FORWARD OUTPUT" - fi - for chain in ${chains}; do - ${IPTABLESBINARY} -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do - set -- ${line} - while [ $# -gt 0 ]; do - if [ "${1}" = "-P" ]; then - target="${3}" + tables="filter nat mangle raw security" + for t in ${tables} + do + ${iptables_binary} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line + do + set -- ${line} + while [ $# -gt 0 ] + do + if [ "${1}" = "!" ] + then + not="${1}" + if [ "${2}" = "-d" ] + then + d="${not} ${3}" + shift 3 + elif [ "${2}" = "-s" ] + then + s="${not} ${3}" + shift 3 + elif [ "${2}" = "-i" ] + then + p="${not} ${3}" + shift 3 + elif [ "${2}" = "-o" ] + then + o="${not} ${3}" + shift 3 + elif [ "${2}" = "-f" ] + then + p="${not} ${3}" shift 3 - elif [ "${1}" = "-j" ]; then - target="${2}" - shift - elif [ "${1}" = "-d" ]; then - dst="${2}" - shift - elif [ "${1}" = "-s" ]; then - src="${2}" - shift - else - shift fi - done - - # logics - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW - AddHP 1 3 - fi - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN - AddHP 3 3 - fi - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color RED - ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" - AddHP 0 3 + shift + elif [ "${1}" = "-P" ] + then + c="${2}" + j="${3}" + shift 3 + elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] + then + c="${2}" + shift 2 + elif [ "${1}" = "-j" ] + then + j="${2}" + shift + elif [ "${1}" = "-p" ] + then + p="${2}" + shift + elif [ "${1}" = "-d" ] + then + d="${2}" + shift + elif [ "${1}" = "-s" ] + then + s="${2}" + shift + elif [ "${1}" = "-m" ] + then + m="${2}" + shift + elif [ "${1}" = "-g" ] + then + g="${2}" + shift + elif [ "${1}" = "-i" ] + then + i="${2}" + shift + elif [ "${1}" = "-o" ] + then + o="${2}" + shift + elif [ "${1}" = "-f" ] + then + f="${2}" + shift + elif [ "${1}" = "-c" ] + then + pc="${2}" + bc="${3}" + shift 3 + else + shift fi done - done - done + # logics + if [ "${t}" = "filter" ] || [ "${t}" = "security" ] + then + if [ "${c}" = "INPUT" ] && [ "${j}" = "ACCEPT" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW + AddHP 1 3 + elif [ "${c}" = "INPUT" ] && [ "${j}" = "DROP" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN + AddHP 3 3 + elif [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + then + if [ "${j}" = "NFQUEUE" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color RED + ReportSuggestion "${TEST_NO}" "Consider avoid ${j} target if possible (iptables chain ${c}, table: ${t})" + AddHP 0 3 + fi + fi + fi + done + done fi # ################################################################################# From d64f4808234da4449d7c29fd8de6280f70a45d0e Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:40:01 +0200 Subject: [PATCH 06/17] Update tests_firewalls --- include/tests_firewalls | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index a73d8fc3..89170a0b 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,7 +112,7 @@ tables="filter nat mangle raw security" for t in ${tables} do - ${iptables_binary} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line + ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line do set -- ${line} while [ $# -gt 0 ] @@ -199,16 +199,25 @@ # logics if [ "${t}" = "filter" ] || [ "${t}" = "security" ] then - if [ "${c}" = "INPUT" ] && [ "${j}" = "ACCEPT" ] + if [ "${c}" = "INPUT" ] then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW - AddHP 1 3 - elif [ "${c}" = "INPUT" ] && [ "${j}" = "DROP" ] + if [ "${j}" = "ACCEPT" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW + AddHP 1 3 + elif [ "${j}" = "DROP" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN + AddHP 3 3 + fi + elif [ "${c}" = "FORWARD" ] then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN - AddHP 3 3 + : + elif [ "${c}" = "OUTPUT" ] + then + : elif [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] then if [ "${j}" = "NFQUEUE" ] From 5d50814f04d6b23895a590eaf4b3e406adc7fef5 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:24:18 +0200 Subject: [PATCH 07/17] Update tests_firewalls --- include/tests_firewalls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 89170a0b..1d41e0e6 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -218,7 +218,8 @@ elif [ "${c}" = "OUTPUT" ] then : - elif [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + fi + if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] then if [ "${j}" = "NFQUEUE" ] then @@ -231,6 +232,7 @@ fi done done + # resume fi # ################################################################################# From fa9082ab77c198fdcd6c98ea43a33b35c47e9bcf Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Thu, 10 Oct 2024 12:31:05 +0200 Subject: [PATCH 08/17] Update tests_firewalls --- include/tests_firewalls | 224 +++++++++++++++++++++------------------- 1 file changed, 118 insertions(+), 106 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 1d41e0e6..d8d9ce0b 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,127 +112,139 @@ tables="filter nat mangle raw security" for t in ${tables} do - ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line - do - set -- ${line} - while [ $# -gt 0 ] + ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | + { + while read -r line do - if [ "${1}" = "!" ] - then - not="${1}" - if [ "${2}" = "-d" ] + set -- ${line} + while [ $# -gt 0 ] + do + if [ "${1}" = "!" ] then - d="${not} ${3}" - shift 3 - elif [ "${2}" = "-s" ] + not="${1}" + if [ "${2}" = "-d" ] + then + d="${not} ${3}" + shift 3 + elif [ "${2}" = "-s" ] + then + s="${not} ${3}" + shift 3 + elif [ "${2}" = "-i" ] + then + p="${not} ${3}" + shift 3 + elif [ "${2}" = "-o" ] + then + o="${not} ${3}" + shift 3 + elif [ "${2}" = "-f" ] + then + p="${not} ${3}" + shift 3 + fi + shift + elif [ "${1}" = "-P" ] then - s="${not} ${3}" + c="${2}" + j="${3}" shift 3 - elif [ "${2}" = "-i" ] + elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] then - p="${not} ${3}" - shift 3 - elif [ "${2}" = "-o" ] + c="${2}" + shift 2 + elif [ "${1}" = "-j" ] then - o="${not} ${3}" - shift 3 - elif [ "${2}" = "-f" ] + j="${2}" + shift + elif [ "${1}" = "-p" ] then - p="${not} ${3}" + p="${2}" + shift + elif [ "${1}" = "-d" ] + then + d="${2}" + shift + elif [ "${1}" = "-s" ] + then + s="${2}" + shift + elif [ "${1}" = "-m" ] + then + m="${2}" + shift + elif [ "${1}" = "-g" ] + then + g="${2}" + shift + elif [ "${1}" = "-i" ] + then + i="${2}" + shift + elif [ "${1}" = "-o" ] + then + o="${2}" + shift + elif [ "${1}" = "-f" ] + then + f="${2}" + shift + elif [ "${1}" = "-c" ] + then + pc="${2}" + bc="${3}" shift 3 + else + shift fi - shift - elif [ "${1}" = "-P" ] + done + # logics + if [ "${t}" = "filter" ] || [ "${t}" = "security" ] then - c="${2}" - j="${3}" - shift 3 - elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] - then - c="${2}" - shift 2 - elif [ "${1}" = "-j" ] - then - j="${2}" - shift - elif [ "${1}" = "-p" ] - then - p="${2}" - shift - elif [ "${1}" = "-d" ] - then - d="${2}" - shift - elif [ "${1}" = "-s" ] - then - s="${2}" - shift - elif [ "${1}" = "-m" ] - then - m="${2}" - shift - elif [ "${1}" = "-g" ] - then - g="${2}" - shift - elif [ "${1}" = "-i" ] - then - i="${2}" - shift - elif [ "${1}" = "-o" ] - then - o="${2}" - shift - elif [ "${1}" = "-f" ] - then - f="${2}" - shift - elif [ "${1}" = "-c" ] - then - pc="${2}" - bc="${3}" - shift 3 - else - shift + if [ "${c}" = "INPUT" ] + then + if [ "${j}" = "ACCEPT" ] + then + errqueue="${errqueue}\n${t} ${c} ${j} YELLOW" + AddHP 1 3 + elif [ "${j}" = "DROP" ] + then + errqueue="${errqueue}\n${t} ${c} ${j} GREEN" + AddHP 3 3 + fi + elif [ "${c}" = "FORWARD" ] + then + : + elif [ "${c}" = "OUTPUT" ] + then + : + fi + if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + then + if [ "${j}" = "NFQUEUE" ] + then + errqueue="${errqueue}\n${t} ${c} ${j} RED" + AddHP 0 3 + fi + fi fi done - # logics - if [ "${t}" = "filter" ] || [ "${t}" = "security" ] - then - if [ "${c}" = "INPUT" ] - then - if [ "${j}" = "ACCEPT" ] + # resume + echo ${errqueue} | ${SORTBINARY} -u | while read -r eq + do + set -- ${eq} + while [ $# -gt 0 ] + do + Display --indent 6 --text "Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" + if [ "${3}" = "NFQUEUE" ] then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW - AddHP 1 3 - elif [ "${j}" = "DROP" ] - then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN - AddHP 3 3 + ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" fi - elif [ "${c}" = "FORWARD" ] - then - : - elif [ "${c}" = "OUTPUT" ] - then - : - fi - if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] - then - if [ "${j}" = "NFQUEUE" ] - then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color RED - ReportSuggestion "${TEST_NO}" "Consider avoid ${j} target if possible (iptables chain ${c}, table: ${t})" - AddHP 0 3 - fi - fi - fi - done + shift 4 + done + done + } done - # resume fi # ################################################################################# From b5d86daabb340587dea0483891acb6f171c3f4f1 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Thu, 10 Oct 2024 13:06:57 +0200 Subject: [PATCH 09/17] Update tests_firewalls --- include/tests_firewalls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index d8d9ce0b..ab810596 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -114,7 +114,7 @@ do ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | { - while read -r line + while IFS="\n" read -r line do set -- ${line} while [ $# -gt 0 ] @@ -230,7 +230,7 @@ fi done # resume - echo ${errqueue} | ${SORTBINARY} -u | while read -r eq + echo ${errqueue} | ${SORTBINARY} -u | while IFS="\n" read -r eq do set -- ${eq} while [ $# -gt 0 ] From 0891d2693e61bd41228517951565d4b05245b2aa Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Fri, 11 Oct 2024 11:04:56 +0200 Subject: [PATCH 10/17] Update tests_firewalls --- include/tests_firewalls | 80 ++++------------------------------------- 1 file changed, 7 insertions(+), 73 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index ab810596..25f3dff3 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,39 +112,14 @@ tables="filter nat mangle raw security" for t in ${tables} do - ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | + ${IPTABLESBINARY} -t "${t}" -S -w 1 2>/dev/zero | { while IFS="\n" read -r line do set -- ${line} while [ $# -gt 0 ] do - if [ "${1}" = "!" ] - then - not="${1}" - if [ "${2}" = "-d" ] - then - d="${not} ${3}" - shift 3 - elif [ "${2}" = "-s" ] - then - s="${not} ${3}" - shift 3 - elif [ "${2}" = "-i" ] - then - p="${not} ${3}" - shift 3 - elif [ "${2}" = "-o" ] - then - o="${not} ${3}" - shift 3 - elif [ "${2}" = "-f" ] - then - p="${not} ${3}" - shift 3 - fi - shift - elif [ "${1}" = "-P" ] + if [ "${1}" = "-P" ] then c="${2}" j="${3}" @@ -157,43 +132,6 @@ then j="${2}" shift - elif [ "${1}" = "-p" ] - then - p="${2}" - shift - elif [ "${1}" = "-d" ] - then - d="${2}" - shift - elif [ "${1}" = "-s" ] - then - s="${2}" - shift - elif [ "${1}" = "-m" ] - then - m="${2}" - shift - elif [ "${1}" = "-g" ] - then - g="${2}" - shift - elif [ "${1}" = "-i" ] - then - i="${2}" - shift - elif [ "${1}" = "-o" ] - then - o="${2}" - shift - elif [ "${1}" = "-f" ] - then - f="${2}" - shift - elif [ "${1}" = "-c" ] - then - pc="${2}" - bc="${3}" - shift 3 else shift fi @@ -212,12 +150,6 @@ errqueue="${errqueue}\n${t} ${c} ${j} GREEN" AddHP 3 3 fi - elif [ "${c}" = "FORWARD" ] - then - : - elif [ "${c}" = "OUTPUT" ] - then - : fi if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] then @@ -230,12 +162,14 @@ fi done # resume - echo ${errqueue} | ${SORTBINARY} -u | while IFS="\n" read -r eq + if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi + echo "${eq}" | while IFS="\n" read -r eql do - set -- ${eq} + set -- ${eql} while [ $# -gt 0 ] do - Display --indent 6 --text "Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" + LogText "Result: Found ${3} for ${2} (table: ${1})" + Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" if [ "${3}" = "NFQUEUE" ] then ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" From f3ffbb0b486661d4da840d3c791c8bc9e6c073e0 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:24:20 +0200 Subject: [PATCH 11/17] Update tests_firewalls --- include/tests_firewalls | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 25f3dff3..f55f74e3 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -165,17 +165,19 @@ if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi echo "${eq}" | while IFS="\n" read -r eql do - set -- ${eql} - while [ $# -gt 0 ] - do - LogText "Result: Found ${3} for ${2} (table: ${1})" - Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" - if [ "${3}" = "NFQUEUE" ] - then - ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" - fi - shift 4 - done + if [ ! "$eql" = "" ] + then + set -- ${eql} + while [ $# -gt 0 ] + do + Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" + if [ "${3}" = "NFQUEUE" ] + then + ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" + fi + shift 4 + done + fi done } done From d61ac72d49282daa1136aebddab13ff2ce62e681 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Mon, 14 Oct 2024 11:13:39 +0200 Subject: [PATCH 12/17] Update tests_firewalls --- include/tests_firewalls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index f55f74e3..be8bb083 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -114,7 +114,7 @@ do ${IPTABLESBINARY} -t "${t}" -S -w 1 2>/dev/zero | { - while IFS="\n" read -r line + while IFS="$(printf '\n')" read -r line do set -- ${line} while [ $# -gt 0 ] @@ -163,7 +163,7 @@ done # resume if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi - echo "${eq}" | while IFS="\n" read -r eql + echo "${eq}" | while IFS="$(printf '\n')" read -r eql do if [ ! "$eql" = "" ] then From 06b220e503d23375a142376dee95fefa0ce270b7 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Mon, 14 Oct 2024 12:10:58 +0200 Subject: [PATCH 13/17] Update tests_firewalls --- include/tests_firewalls | 49 +++++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index be8bb083..831c19b2 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -109,65 +109,70 @@ Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN - tables="filter nat mangle raw security" - for t in ${tables} + IPTABLES_TABLES="filter nat mangle raw security" + for IPTABLES_TABLE in ${IPTABLES_TABLES} do - ${IPTABLESBINARY} -t "${t}" -S -w 1 2>/dev/zero | + ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero | { - while IFS="$(printf '\n')" read -r line + while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE do - set -- ${line} + set -- ${IPTABLES_OUTPUT_LINE} while [ $# -gt 0 ] do if [ "${1}" = "-P" ] then - c="${2}" - j="${3}" + IPTABLES_CHAIN="${2}" + IPTABLES_TARGET="${3}" shift 3 elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] then - c="${2}" + IPTABLES_CHAIN="${2}" shift 2 elif [ "${1}" = "-j" ] then - j="${2}" + IPTABLES_TARGET="${2}" shift else shift fi done # logics - if [ "${t}" = "filter" ] || [ "${t}" = "security" ] + if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] then - if [ "${c}" = "INPUT" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] then - if [ "${j}" = "ACCEPT" ] + if [ "${IPTABLES_TARGET}" = "ACCEPT" ] then - errqueue="${errqueue}\n${t} ${c} ${j} YELLOW" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" AddHP 1 3 - elif [ "${j}" = "DROP" ] + elif [ "${IPTABLES_TARGET}" = "DROP" ] then - errqueue="${errqueue}\n${t} ${c} ${j} GREEN" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" AddHP 3 3 fi fi - if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] then - if [ "${j}" = "NFQUEUE" ] + if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] then - errqueue="${errqueue}\n${t} ${c} ${j} RED" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" AddHP 0 3 fi fi fi done # resume - if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi - echo "${eq}" | while IFS="$(printf '\n')" read -r eql + if [ ! "${SORTBINARY}" = "" ] + then + IPTABLES_OUTPUT="$( echo "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )" + else + IPTABLES_OUTPUT="${IPTABLES_OUTPUT_QUEUE}" + fi + echo "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE do - if [ ! "$eql" = "" ] + if [ ! "$IPTABLES_OUTPUT_LINE" = "" ] then - set -- ${eql} + set -- ${IPTABLES_OUTPUT_LINE} while [ $# -gt 0 ] do Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" From ade45301a81e2b1e39198d0c90283131274c2a10 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Mon, 14 Oct 2024 15:58:14 +0200 Subject: [PATCH 14/17] Update tests_firewalls --- include/tests_firewalls | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 831c19b2..223fe63d 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -114,9 +114,9 @@ do ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero | { - while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE + while IFS="$(printf '\n')" read -r IPTABLES_LINES do - set -- ${IPTABLES_OUTPUT_LINE} + set -- ${IPTABLES_LINES} while [ $# -gt 0 ] do if [ "${1}" = "-P" ] @@ -137,26 +137,29 @@ fi done # logics - if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] + if [ ! "${IPTABLES_TABLE}" = "" ] && [ ! "${IPTABLES_CHAIN}" = "" ] && [ ! "${IPTABLES_TARGET}" = "" ] then - if [ "${IPTABLES_CHAIN}" = "INPUT" ] + if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] then - if [ "${IPTABLES_TARGET}" = "ACCEPT" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" - AddHP 1 3 - elif [ "${IPTABLES_TARGET}" = "DROP" ] - then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" - AddHP 3 3 + if [ "${IPTABLES_TARGET}" = "ACCEPT" ] + then + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" + AddHP 1 3 + elif [ "${IPTABLES_TARGET}" = "DROP" ] + then + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" + AddHP 3 3 + fi fi - fi - if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] - then - if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" - AddHP 0 3 + if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] + then + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" + AddHP 0 3 + fi fi fi fi @@ -185,8 +188,11 @@ fi done } + unset IPTABLES_TABLE done + unset IPTABLES_TABLES fi + unset PREQS_MET # ################################################################################# # From 7bdcd56f631cdcf9f1d0bd52d8b9e88ec08b9043 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Mon, 14 Oct 2024 16:05:33 +0200 Subject: [PATCH 15/17] Update tests_firewalls --- include/tests_firewalls | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 223fe63d..fb8a731c 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -137,29 +137,26 @@ fi done # logics - if [ ! "${IPTABLES_TABLE}" = "" ] && [ ! "${IPTABLES_CHAIN}" = "" ] && [ ! "${IPTABLES_TARGET}" = "" ] + if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] then - if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] then - if [ "${IPTABLES_CHAIN}" = "INPUT" ] + if [ "${IPTABLES_TARGET}" = "ACCEPT" ] then - if [ "${IPTABLES_TARGET}" = "ACCEPT" ] - then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" - AddHP 1 3 - elif [ "${IPTABLES_TARGET}" = "DROP" ] - then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" - AddHP 3 3 - fi + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" + AddHP 1 3 + elif [ "${IPTABLES_TARGET}" = "DROP" ] + then + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" + AddHP 3 3 fi - if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] + fi + if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] + then + if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] then - if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] - then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" - AddHP 0 3 - fi + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" + AddHP 0 3 fi fi fi From c53969d1fccdf8d88abb8f8176f94fc1b8a13825 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 15 Oct 2024 09:29:50 +0200 Subject: [PATCH 16/17] Update tests_firewalls --- include/tests_firewalls | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index fb8a731c..b4605cdd 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -114,6 +114,7 @@ do ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero | { + IPTABLES_OUTPUT_QUEUE="" while IFS="$(printf '\n')" read -r IPTABLES_LINES do set -- ${IPTABLES_LINES} @@ -143,11 +144,11 @@ then if [ "${IPTABLES_TARGET}" = "ACCEPT" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" AddHP 1 3 elif [ "${IPTABLES_TARGET}" = "DROP" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" AddHP 3 3 fi fi @@ -155,7 +156,7 @@ then if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" AddHP 0 3 fi fi From 690f82e5e43d66219bc35b546b4e85ae8ef81628 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 15 Oct 2024 09:56:30 +0200 Subject: [PATCH 17/17] Update tests_firewalls --- include/tests_firewalls | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_firewalls b/include/tests_firewalls index b4605cdd..2995e3f5 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -176,6 +176,7 @@ set -- ${IPTABLES_OUTPUT_LINE} while [ $# -gt 0 ] do + LogText "Result: Found ${3} for ${2} (table: ${1})" Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" if [ "${3}" = "NFQUEUE" ] then