diff --git a/tests/fixtures/centos-7.7/iptables-filter-line-numbers.json b/tests/fixtures/centos-7.7/iptables-filter-line-numbers.json new file mode 100644 index 00000000..19de3b15 --- /dev/null +++ b/tests/fixtures/centos-7.7/iptables-filter-line-numbers.json @@ -0,0 +1 @@ +[{"chain": "INPUT", "rules": [{"num": 1, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate RELATED,ESTABLISHED"}, {"num": 2, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 3, "target": "INPUT_direct", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 4, "target": "INPUT_ZONES_SOURCE", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 5, "target": "INPUT_ZONES", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 6, "target": "DROP", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate INVALID"}, {"num": 7, "target": "REJECT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "reject-with icmp-host-prohibited"}, {"num": 8, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 9, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 10, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate RELATED,ESTABLISHED"}, {"num": 11, "target": "DROP", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate INVALID"}, {"num": 12, "target": "DROP", "prot": "all", "opt": null, "source": "15.15.15.51", "destination": "anywhere"}, {"num": 13, "target": "ACCEPT", "prot": "tcp", "opt": null, "source": "15.15.15.0/24", "destination": "anywhere", "options": "tcp dpt:ssh ctstate NEW,ESTABLISHED"}]}, {"chain": "FORWARD", "rules": [{"num": 1, "target": "DOCKER-ISOLATION", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 2, "target": "DOCKER", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 3, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate RELATED,ESTABLISHED"}, {"num": 4, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 5, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 6, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate RELATED,ESTABLISHED"}, {"num": 7, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 8, "target": "FORWARD_direct", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 9, "target": "FORWARD_IN_ZONES_SOURCE", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 10, "target": "FORWARD_IN_ZONES", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 11, "target": "FORWARD_OUT_ZONES_SOURCE", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 12, "target": "FORWARD_OUT_ZONES", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 13, "target": "DROP", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate INVALID"}, {"num": 14, "target": "REJECT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "reject-with icmp-host-prohibited"}]}, {"chain": "OUTPUT", "rules": [{"num": 1, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 2, "target": "OUTPUT_direct", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 3, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 4, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate ESTABLISHED"}, {"num": 5, "target": "ACCEPT", "prot": "tcp", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "tcp spt:ssh ctstate ESTABLISHED"}]}, {"chain": "DOCKER", "rules": []}, {"chain": "DOCKER-ISOLATION", "rules": [{"num": 1, "target": "RETURN", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}]}, {"chain": "FORWARD_IN_ZONES", "rules": [{"num": 1, "target": "FWDI_public", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "[goto] "}, {"num": 2, "target": "FWDI_public", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "[goto] "}]}, {"chain": "FORWARD_IN_ZONES_SOURCE", "rules": []}, {"chain": "FORWARD_OUT_ZONES", "rules": [{"num": 1, "target": "FWDO_public", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "[goto] "}, {"num": 2, "target": "FWDO_public", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "[goto] "}]}, {"chain": "FORWARD_OUT_ZONES_SOURCE", "rules": []}, {"chain": "FORWARD_direct", "rules": []}, {"chain": "FWDI_public", "rules": [{"num": 1, "target": "FWDI_public_log", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 2, "target": "FWDI_public_deny", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 3, "target": "FWDI_public_allow", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 4, "target": "ACCEPT", "prot": "icmp", "opt": null, "source": "anywhere", "destination": "anywhere"}]}, {"chain": "FWDI_public_allow", "rules": []}, {"chain": "FWDI_public_deny", "rules": []}, {"chain": "FWDI_public_log", "rules": []}, {"chain": "FWDO_public", "rules": [{"num": 1, "target": "FWDO_public_log", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 2, "target": "FWDO_public_deny", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 3, "target": "FWDO_public_allow", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}]}, {"chain": "FWDO_public_allow", "rules": []}, {"chain": "FWDO_public_deny", "rules": []}, {"chain": "FWDO_public_log", "rules": []}, {"chain": "INPUT_ZONES", "rules": [{"num": 1, "target": "IN_public", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "[goto] "}, {"num": 2, "target": "IN_public", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "[goto] "}]}, {"chain": "INPUT_ZONES_SOURCE", "rules": []}, {"chain": "INPUT_direct", "rules": []}, {"chain": "IN_public", "rules": [{"num": 1, "target": "IN_public_log", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 2, "target": "IN_public_deny", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 3, "target": "IN_public_allow", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 4, "target": "ACCEPT", "prot": "icmp", "opt": null, "source": "anywhere", "destination": "anywhere"}]}, {"chain": "IN_public_allow", "rules": [{"num": 1, "target": "ACCEPT", "prot": "tcp", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "tcp dpt:ssh ctstate NEW,UNTRACKED"}]}, {"chain": "IN_public_deny", "rules": []}, {"chain": "IN_public_log", "rules": []}] diff --git a/tests/fixtures/centos-7.7/iptables-filter-line-numbers.out b/tests/fixtures/centos-7.7/iptables-filter-line-numbers.out new file mode 100644 index 00000000..f6fd084b --- /dev/null +++ b/tests/fixtures/centos-7.7/iptables-filter-line-numbers.out @@ -0,0 +1,128 @@ +Chain INPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +2 ACCEPT all -- anywhere anywhere +3 INPUT_direct all -- anywhere anywhere +4 INPUT_ZONES_SOURCE all -- anywhere anywhere +5 INPUT_ZONES all -- anywhere anywhere +6 DROP all -- anywhere anywhere ctstate INVALID +7 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited +8 ACCEPT all -- anywhere anywhere +9 ACCEPT all -- anywhere anywhere +10 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +11 DROP all -- anywhere anywhere ctstate INVALID +12 DROP all -- 15.15.15.51 anywhere +13 ACCEPT tcp -- 15.15.15.0/24 anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED + +Chain FORWARD (policy DROP) +num target prot opt source destination +1 DOCKER-ISOLATION all -- anywhere anywhere +2 DOCKER all -- anywhere anywhere +3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +4 ACCEPT all -- anywhere anywhere +5 ACCEPT all -- anywhere anywhere +6 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +7 ACCEPT all -- anywhere anywhere +8 FORWARD_direct all -- anywhere anywhere +9 FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere +10 FORWARD_IN_ZONES all -- anywhere anywhere +11 FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere +12 FORWARD_OUT_ZONES all -- anywhere anywhere +13 DROP all -- anywhere anywhere ctstate INVALID +14 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited + +Chain OUTPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT all -- anywhere anywhere +2 OUTPUT_direct all -- anywhere anywhere +3 ACCEPT all -- anywhere anywhere +4 ACCEPT all -- anywhere anywhere ctstate ESTABLISHED +5 ACCEPT tcp -- anywhere anywhere tcp spt:ssh ctstate ESTABLISHED + +Chain DOCKER (1 references) +num target prot opt source destination + +Chain DOCKER-ISOLATION (1 references) +num target prot opt source destination +1 RETURN all -- anywhere anywhere + +Chain FORWARD_IN_ZONES (1 references) +num target prot opt source destination +1 FWDI_public all -- anywhere anywhere [goto] +2 FWDI_public all -- anywhere anywhere [goto] + +Chain FORWARD_IN_ZONES_SOURCE (1 references) +num target prot opt source destination + +Chain FORWARD_OUT_ZONES (1 references) +num target prot opt source destination +1 FWDO_public all -- anywhere anywhere [goto] +2 FWDO_public all -- anywhere anywhere [goto] + +Chain FORWARD_OUT_ZONES_SOURCE (1 references) +num target prot opt source destination + +Chain FORWARD_direct (1 references) +num target prot opt source destination + +Chain FWDI_public (2 references) +num target prot opt source destination +1 FWDI_public_log all -- anywhere anywhere +2 FWDI_public_deny all -- anywhere anywhere +3 FWDI_public_allow all -- anywhere anywhere +4 ACCEPT icmp -- anywhere anywhere + +Chain FWDI_public_allow (1 references) +num target prot opt source destination + +Chain FWDI_public_deny (1 references) +num target prot opt source destination + +Chain FWDI_public_log (1 references) +num target prot opt source destination + +Chain FWDO_public (2 references) +num target prot opt source destination +1 FWDO_public_log all -- anywhere anywhere +2 FWDO_public_deny all -- anywhere anywhere +3 FWDO_public_allow all -- anywhere anywhere + +Chain FWDO_public_allow (1 references) +num target prot opt source destination + +Chain FWDO_public_deny (1 references) +num target prot opt source destination + +Chain FWDO_public_log (1 references) +num target prot opt source destination + +Chain INPUT_ZONES (1 references) +num target prot opt source destination +1 IN_public all -- anywhere anywhere [goto] +2 IN_public all -- anywhere anywhere [goto] + +Chain INPUT_ZONES_SOURCE (1 references) +num target prot opt source destination + +Chain INPUT_direct (1 references) +num target prot opt source destination + +Chain IN_public (2 references) +num target prot opt source destination +1 IN_public_log all -- anywhere anywhere +2 IN_public_deny all -- anywhere anywhere +3 IN_public_allow all -- anywhere anywhere +4 ACCEPT icmp -- anywhere anywhere + +Chain IN_public_allow (1 references) +num target prot opt source destination +1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED + +Chain IN_public_deny (1 references) +num target prot opt source destination + +Chain IN_public_log (1 references) +num target prot opt source destination + +Chain OUTPUT_direct (1 references) +num target prot opt source destination diff --git a/tests/fixtures/create_fixtures.sh b/tests/fixtures/create_fixtures.sh index 73aa5cfb..6a253910 100644 --- a/tests/fixtures/create_fixtures.sh +++ b/tests/fixtures/create_fixtures.sh @@ -23,6 +23,7 @@ sudo iptables -A INPUT -i lo -s 15.15.15.51 -j DROP sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT sudo iptables -L -t filter > iptables-filter.out +sudo iptables --line-numbers -L -t filter > iptables-filter-line-numbers.out sudo iptables -L -t nat > iptables-nat.out sudo iptables -L -t mangle > iptables-mangle.out sudo iptables -L -t raw > iptables-raw.out diff --git a/tests/fixtures/ubuntu-18.04/iptables-filter-line-numbers.json b/tests/fixtures/ubuntu-18.04/iptables-filter-line-numbers.json new file mode 100644 index 00000000..17c7abaa --- /dev/null +++ b/tests/fixtures/ubuntu-18.04/iptables-filter-line-numbers.json @@ -0,0 +1 @@ +[{"chain": "INPUT", "rules": [{"num": 1, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 2, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere"}, {"num": 3, "target": "ACCEPT", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate RELATED,ESTABLISHED"}, {"num": 4, "target": "DROP", "prot": "all", "opt": null, "source": "anywhere", "destination": "anywhere", "options": "ctstate INVALID"}, {"num": 5, "target": "DROP", "prot": "all", "opt": null, "source": "15.15.15.51", "destination": "anywhere"}, {"num": 6, "target": "ACCEPT", "prot": "tcp", "opt": null, "source": "15.15.15.0/24", "destination": "anywhere", "options": "tcp dpt:ssh ctstate NEW,ESTABLISHED"}]}, {"chain": "FORWARD", "rules": []}] diff --git a/tests/fixtures/ubuntu-18.04/iptables-filter-line-numbers.out b/tests/fixtures/ubuntu-18.04/iptables-filter-line-numbers.out new file mode 100644 index 00000000..bfb93e59 --- /dev/null +++ b/tests/fixtures/ubuntu-18.04/iptables-filter-line-numbers.out @@ -0,0 +1,17 @@ +Chain INPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT all -- anywhere anywhere +2 ACCEPT all -- anywhere anywhere +3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +4 DROP all -- anywhere anywhere ctstate INVALID +5 DROP all -- 15.15.15.51 anywhere +6 ACCEPT tcp -- 15.15.15.0/24 anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED + +Chain FORWARD (policy ACCEPT) +num target prot opt source destination + +Chain OUTPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT all -- anywhere anywhere +2 ACCEPT all -- anywhere anywhere ctstate ESTABLISHED +3 ACCEPT tcp -- anywhere anywhere tcp spt:ssh ctstate ESTABLISHED diff --git a/tests/test_iptables.py b/tests/test_iptables.py index 5bc8c8d2..e9c25f76 100644 --- a/tests/test_iptables.py +++ b/tests/test_iptables.py @@ -16,6 +16,12 @@ class MyTests(unittest.TestCase): with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/ubuntu-18.04/iptables-filter.out'), 'r') as f: self.ubuntu_18_4_iptables_filter = f.read() + with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/centos-7.7/iptables-filter-line-numbers.out'), 'r') as f: + self.centos_7_7_iptables_filter_line_numbers = f.read() + + with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/ubuntu-18.04/iptables-filter-line-numbers.out'), 'r') as f: + self.ubuntu_18_4_iptables_filter_line_numbers = f.read() + with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/centos-7.7/iptables-filter-nv.out'), 'r') as f: self.centos_7_7_iptables_filter_nv = f.read() @@ -47,6 +53,12 @@ class MyTests(unittest.TestCase): with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/ubuntu-18.04/iptables-filter.json'), 'r') as f: self.ubuntu_18_4_iptables_filter_json = json.loads(f.read()) + with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/centos-7.7/iptables-filter-line-numbers.json'), 'r') as f: + self.centos_7_7_iptables_filter_line_numbers_json = json.loads(f.read()) + + with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/ubuntu-18.04/iptables-filter-line-numbers.json'), 'r') as f: + self.ubuntu_18_4_iptables_filter_line_numbers_json = json.loads(f.read()) + with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/centos-7.7/iptables-filter-nv.json'), 'r') as f: self.centos_7_7_iptables_filter_nv_json = json.loads(f.read()) @@ -83,6 +95,18 @@ class MyTests(unittest.TestCase): """ self.assertEqual(jc.parsers.iptables.parse(self.ubuntu_18_4_iptables_filter, quiet=True), self.ubuntu_18_4_iptables_filter_json) + def test_iptables_filter_line_numbers_centos_7_7(self): + """ + Test 'sudo iptables --line-numbers -L -t filter' on Centos 7.7 + """ + self.assertEqual(jc.parsers.iptables.parse(self.centos_7_7_iptables_filter_line_numbers, quiet=True), self.centos_7_7_iptables_filter_line_numbers_json) + + def test_iptables_filter_line_numbers_ubuntu_18_4(self): + """ + Test 'sudo iptables --line-numbers -L -t filter' on Ubuntu 18.4 + """ + self.assertEqual(jc.parsers.iptables.parse(self.ubuntu_18_4_iptables_filter_line_numbers, quiet=True), self.ubuntu_18_4_iptables_filter_line_numbers_json) + def test_iptables_filter_nv_centos_7_7(self): """ Test 'sudo iptables -nvL -t filter' on Centos 7.7