Last active
January 24, 2023 02:55
-
-
Save sysbitnet/ea9748a9aedfe10cc333791d8d080580 to your computer and use it in GitHub Desktop.
CSF Firewall testing script Testing ip_tables/iptable_filter...open3: exec of /sbin/iptables -I OUTPUT -p tcp --dport 9999 -j ACCEPT failed: No such file or directory at /usr/local/csf/bin/csftest.pl line 144
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/perl | |
######################################################################################## | |
# Just fix the code in this file to checking CSF service edit and update from sysbitnet | |
######################################################################################## | |
# Copyright 2006-2018, Way to the Web Limited | |
# URL: http://www.configserver.com | |
# Email: sales@waytotheweb.com | |
############################################################################### | |
## no critic (ProhibitBarewordFileHandles, ProhibitExplicitReturnUndef, ProhibitMixedBooleanOperators, RequireBriefOpen) | |
# start main | |
use strict; | |
use IPC::Open3; | |
umask(0177); | |
our ($return, $fatal, $error); | |
$fatal = 0; | |
$error = 0; | |
#my @modules = ("ip_tables","ipt_state","ipt_multiport","iptable_filter","ipt_limit","ipt_LOG","ipt_REJECT","ipt_conntrack","ip_conntrack","ip_conntrack_ftp","iptable_mangle","ip_tables","xt_state","xt_multiport","iptable_filter","xt_limit","ipt_LOG","ipt_REJECT","ip_conntrack_ftp","iptable_mangle","xt_conntrack"); | |
#push @modules,"ipt_owner"; | |
#push @modules,"xt_owner"; | |
#push @modules,"ipt_REDIRECT"; | |
#push @modules,"iptable_nat"; | |
#push @modules,"ipt_recent ip_list_tot=1000 ip_list_hash_size=0"; | |
#foreach my $module (@modules) {&loadmodule($module)} | |
print "Testing ip_tables/iptable_filter..."; | |
$return = &testiptables("/usr/sbin/iptables -I OUTPUT -p tcp --dport 9999 -j ACCEPT"); | |
if ($return ne "") { | |
print "FAILED [FATAL Error: $return] - Required for csf to function\n"; | |
$fatal++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D OUTPUT -p tcp --dport 9999 -j ACCEPT"); | |
} | |
print "Testing ipt_LOG..."; | |
$return = &testiptables("/usr/sbin/iptables -I OUTPUT -p tcp --dport 9999 -j LOG"); | |
if ($return ne "") { | |
print "FAILED [FATAL Error: $return] - Required for csf to function\n"; | |
$fatal++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D OUTPUT -p tcp --dport 9999 -j LOG"); | |
} | |
print "Testing ipt_multiport/xt_multiport..."; | |
$return = &testiptables("/usr/sbin/iptables -I OUTPUT -p tcp -m multiport --dports 9998,9999 -j LOG"); | |
if ($return ne "") { | |
print "FAILED [FATAL Error: $return] - Required for csf to function\n"; | |
$fatal++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D OUTPUT -p tcp -m multiport --dports 9998,9999 -j LOG"); | |
} | |
print "Testing ipt_REJECT..."; | |
$return = &testiptables("/usr/sbin/iptables -I OUTPUT -p tcp --dport 9999 -j REJECT"); | |
if ($return ne "") { | |
print "FAILED [FATAL Error: $return] - Required for csf to function\n"; | |
$fatal++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D OUTPUT -p tcp --dport 9999 -j REJECT"); | |
} | |
print "Testing ipt_state/xt_state..."; | |
$return = &testiptables("/usr/sbin/iptables -I OUTPUT -p tcp --dport 9999 -m state --state NEW -j LOG"); | |
if ($return ne "") { | |
print "FAILED [FATAL Error: $return] - Required for csf to function\n"; | |
$fatal++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D OUTPUT -p tcp --dport 9999 -m state --state NEW -j LOG"); | |
} | |
print "Testing ipt_limit/xt_limit..."; | |
$return = &testiptables("/usr/sbin/iptables -I OUTPUT -p tcp --dport 9999 -m limit --limit 30/m --limit-burst 5 -j LOG"); | |
if ($return ne "") { | |
print "FAILED [FATAL Error: $return] - Required for csf to function\n"; | |
$fatal++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D OUTPUT -p tcp --dport 9999 -m limit --limit 30/m --limit-burst 5 -j LOG"); | |
} | |
print "Testing ipt_recent..."; | |
$return = &testiptables("/usr/sbin/iptables -I OUTPUT -p tcp --dport 9999 -m recent --set"); | |
if ($return ne "") { | |
print "FAILED [Error: $return] - Required for PORTFLOOD and PORTKNOCKING features\n"; | |
$error++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D OUTPUT -p tcp --dport 9999 -m recent --set"); | |
} | |
print "Testing xt_connlimit..."; | |
$return = &testiptables("/usr/sbin/iptables -I INPUT -p tcp --dport 9999 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset"); | |
if ($return ne "") { | |
print "FAILED [Error: $return] - Required for CONNLIMIT feature\n"; | |
$error++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D INPUT -p tcp --dport 9999 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset"); | |
} | |
print "Testing ipt_owner/xt_owner..."; | |
$return = &testiptables("/usr/sbin/iptables -I OUTPUT -p tcp --dport 9999 -m owner --uid-owner 0 -j LOG"); | |
if ($return ne "") { | |
print "FAILED [Error: $return] - Required for SMTP_BLOCK and UID/GID blocking features\n"; | |
$error++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -D OUTPUT -p tcp --dport 9999 -m owner --uid-owner 0 -j LOG"); | |
} | |
print "Testing iptable_nat/ipt_REDIRECT..."; | |
$return = &testiptables("/usr/sbin/iptables -t nat -I OUTPUT -p tcp --dport 9999 -j REDIRECT --to-ports 9900"); | |
if ($return ne "") { | |
print "FAILED [Error: $return] - Required for MESSENGER feature\n"; | |
$error++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -t nat -D OUTPUT -p tcp --dport 9999 -j REDIRECT --to-ports 9900"); | |
} | |
print "Testing iptable_nat/ipt_DNAT..."; | |
$return = &testiptables("/usr/sbin/iptables -t nat -I PREROUTING -p tcp --dport 9999 -j DNAT --to-destination 192.168.254.1"); | |
if ($return ne "") { | |
print "FAILED [Error: $return] - Required for csf.redirect feature\n"; | |
$error++; | |
} else { | |
print "OK\n"; | |
&testiptables("/usr/sbin/iptables -t nat -D PREROUTING -p tcp --dport 9999 -j DNAT --to-destination 192.168.254.1"); | |
} | |
if ($fatal) {print "\nRESULT: csf will not function on this server due to FATAL errors from missing modules [$fatal]\n"} | |
elsif ($error) {print "\nRESULT: csf will function on this server but some features will not work due to some missing iptables modules [$error]\n"} | |
else {print "\nRESULT: csf should function on this server\n"} | |
sub testiptables { | |
my $command = shift; | |
my ($childin, $childout); | |
my $cmdpid = open3($childin, $childout, $childout, $command); | |
my @ipdata = <$childout>; | |
waitpid ($cmdpid, 0); | |
chomp @ipdata; | |
return $ipdata[0]; | |
} | |
sub loadmodule { | |
my $module = shift; | |
my @output; | |
eval { | |
local $SIG{__DIE__} = undef; | |
local $SIG{'ALRM'} = sub {die}; | |
alarm(5); | |
my ($childin, $childout); | |
my $pid = open3($childin, $childout, $childout, "modprobe $module"); | |
@output = <$childout>; | |
waitpid ($pid, 0); | |
alarm(0); | |
}; | |
alarm(0); | |
return @output; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment