From 51a6ac1f660093c1f2609846f7f08b7329bab72f Mon Sep 17 00:00:00 2001 From: Simo Kuusela Date: Mon, 24 Apr 2017 12:03:36 +0300 Subject: [PATCH 1/2] meta-iotqa: Add iptables test Test dropping and rejecting SSH connections with iptables. Signed-off-by: Simo Kuusela --- .../runtime/sanity/files/iptables_drop.sh | 6 ++ .../runtime/sanity/files/iptables_reject.sh | 6 ++ .../lib/oeqa/runtime/sanity/iptables.py | 72 +++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100755 meta-iotqa/lib/oeqa/runtime/sanity/files/iptables_drop.sh create mode 100755 meta-iotqa/lib/oeqa/runtime/sanity/files/iptables_reject.sh create mode 100644 meta-iotqa/lib/oeqa/runtime/sanity/iptables.py diff --git a/meta-iotqa/lib/oeqa/runtime/sanity/files/iptables_drop.sh b/meta-iotqa/lib/oeqa/runtime/sanity/files/iptables_drop.sh new file mode 100755 index 0000000000..76107935f9 --- /dev/null +++ b/meta-iotqa/lib/oeqa/runtime/sanity/files/iptables_drop.sh @@ -0,0 +1,6 @@ +#!/bin/sh +iptables -D INPUT -p tcp --dport 22 -j ACCEPT +iptables -A INPUT -p tcp --dport 22 -j DROP +sleep 10 +iptables -D INPUT -p tcp --dport 22 -j DROP +iptables -A INPUT -p tcp --dport 22 -j ACCEPT diff --git a/meta-iotqa/lib/oeqa/runtime/sanity/files/iptables_reject.sh b/meta-iotqa/lib/oeqa/runtime/sanity/files/iptables_reject.sh new file mode 100755 index 0000000000..cded082348 --- /dev/null +++ b/meta-iotqa/lib/oeqa/runtime/sanity/files/iptables_reject.sh @@ -0,0 +1,6 @@ +#!/bin/sh +iptables -D INPUT -p tcp --dport 22 -j ACCEPT +iptables -A INPUT -p tcp --dport 22 -j REJECT +sleep 5 +iptables -D INPUT -p tcp --dport 22 -j REJECT +iptables -A INPUT -p tcp --dport 22 -j ACCEPT diff --git a/meta-iotqa/lib/oeqa/runtime/sanity/iptables.py b/meta-iotqa/lib/oeqa/runtime/sanity/iptables.py new file mode 100644 index 0000000000..680e9ba47e --- /dev/null +++ b/meta-iotqa/lib/oeqa/runtime/sanity/iptables.py @@ -0,0 +1,72 @@ +import os +import subprocess +from time import sleep +from oeqa.oetest import oeRuntimeTest + +class IptablesTest(oeRuntimeTest): + + test_path = "/opt/iptables-test/" + reject_script = os.path.join(os.path.dirname(__file__),"files","iptables_reject.sh") + drop_script = os.path.join(os.path.dirname(__file__),"files","iptables_drop.sh") + + def setUp(self): + # Copy test scripts to device + self.target.run("mkdir -p " + self.test_path) + self.target.copy_to(self.reject_script, self.test_path) + self.target.copy_to(self.drop_script, self.test_path) + + def tearDown(self): + self.target.run("rm -r " + self.test_path) + + def test_reject(self): + ''' + Test rejecting SSH with iptables + ''' + # Check that SSH can connect + (status, output) = self.target.run("ls") + self.assertEqual(status, 0, msg="Error messages: %s" % output) + + # Check that SSH gets rejected + self.target.run("nohup " + self.test_path + "iptables_reject.sh &>/dev/null &") + sleep(1) + try: + output = subprocess.check_output(("ssh -o UserKnownHostsFile=/dev/null " \ + "-o StrictHostKeyChecking=no root@" \ + + self.target.ip + " ls").split(), + stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as error: + output = error.output + output = output.decode("utf-8") + self.assertIn("Connection refused", output, msg="Error messages: %s" % output) + sleep(5) # Wait for script to make iptables accept SSH again + + # Check that SSH can connect + (status, output) = self.target.run("ls") + self.assertEqual(status, 0, msg="Error messages: %s" % output) + + def test_drop(self): + ''' + Test dropping SSH with iptables + ''' + # Check that SSH can connect + (status, output) = self.target.run("ls") + self.assertEqual(status, 0, msg="Error messages: %s" % output) + + # Check that SSH gets dropped + self.target.run("nohup " + self.test_path + "iptables_drop.sh &>/dev/null &") + sleep(1) + try: + output = subprocess.check_output(("ssh -o UserKnownHostsFile=/dev/null " \ + "-o ConnectTimeout=5 " \ + "-o StrictHostKeyChecking=no root@" \ + + self.target.ip + " ls").split(), + stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as error: + output = error.output + output = output.decode("utf-8") + self.assertIn("Connection timed out", output, msg="Error messages: %s" % output) + sleep(10) # Wait for script to make iptables accept SSH again + + # Check that SSH can connect + (status, output) = self.target.run("ls") + self.assertEqual(status, 0, msg="Error messages: %s" % output) From d210e92b4dab4e0a2dde51dd3eea96047710cf73 Mon Sep 17 00:00:00 2001 From: Simo Kuusela Date: Mon, 24 Apr 2017 12:05:05 +0300 Subject: [PATCH 2/2] meta-iotqa: Enable iptables test Signed-off-by: Simo Kuusela --- meta-iotqa/conf/test/refkit-image-common.manifest | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-iotqa/conf/test/refkit-image-common.manifest b/meta-iotqa/conf/test/refkit-image-common.manifest index 83103b6447..34130805a5 100644 --- a/meta-iotqa/conf/test/refkit-image-common.manifest +++ b/meta-iotqa/conf/test/refkit-image-common.manifest @@ -1,6 +1,7 @@ # Tests for common profile oeqa.runtime.sanity.baseos oeqa.runtime.sanity.comm_ssh +oeqa.runtime.sanity.iptables oeqa.runtime.sanity.comm_managerdaemon oeqa.runtime.sanity.comm_btcheck oeqa.runtime.sanity.comm_wifi_connect