2017-11-01 06:47:48 +00:00
|
|
|
Promise = require 'bluebird'
|
|
|
|
iptables = require '../src/lib/iptables'
|
|
|
|
|
|
|
|
m = require 'mochainon'
|
|
|
|
{ stub } = m.sinon
|
|
|
|
{ expect } = m.chai
|
|
|
|
|
|
|
|
describe 'iptables', ->
|
|
|
|
it 'calls iptables to delete and recreate rules to block a port', ->
|
2018-05-03 11:42:51 +00:00
|
|
|
stub(iptables, 'execAsync').returns(Promise.resolve())
|
2017-11-01 06:47:48 +00:00
|
|
|
iptables.rejectOnAllInterfacesExcept(['foo', 'bar'], 42)
|
|
|
|
.then ->
|
2019-01-21 10:49:14 +00:00
|
|
|
expect(iptables.execAsync.callCount).to.equal(12)
|
2018-05-03 11:42:51 +00:00
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -D INPUT -p tcp --dport 42 -i foo -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -I INPUT -p tcp --dport 42 -i foo -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -D INPUT -p tcp --dport 42 -i bar -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -I INPUT -p tcp --dport 42 -i bar -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -D INPUT -p tcp --dport 42 -j REJECT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -A INPUT -p tcp --dport 42 -j REJECT')
|
2019-01-21 10:49:14 +00:00
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -D INPUT -p tcp --dport 42 -i foo -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -I INPUT -p tcp --dport 42 -i foo -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -D INPUT -p tcp --dport 42 -i bar -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -I INPUT -p tcp --dport 42 -i bar -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -D INPUT -p tcp --dport 42 -j REJECT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -A INPUT -p tcp --dport 42 -j REJECT')
|
2017-11-01 06:47:48 +00:00
|
|
|
.then ->
|
2018-05-03 11:42:51 +00:00
|
|
|
iptables.execAsync.restore()
|
2017-11-01 06:47:48 +00:00
|
|
|
|
|
|
|
it "falls back to blocking the port with DROP if there's no REJECT support", ->
|
2018-05-03 11:42:51 +00:00
|
|
|
stub(iptables, 'execAsync').callsFake (cmd) ->
|
2017-11-01 06:47:48 +00:00
|
|
|
if /REJECT$/.test(cmd)
|
2019-02-19 17:08:45 +00:00
|
|
|
Promise.reject(new Error())
|
2017-11-01 06:47:48 +00:00
|
|
|
else
|
|
|
|
Promise.resolve()
|
|
|
|
iptables.rejectOnAllInterfacesExcept(['foo', 'bar'], 42)
|
|
|
|
.then ->
|
2019-01-21 10:49:14 +00:00
|
|
|
expect(iptables.execAsync.callCount).to.equal(16)
|
2018-05-03 11:42:51 +00:00
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -D INPUT -p tcp --dport 42 -i foo -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -I INPUT -p tcp --dport 42 -i foo -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -D INPUT -p tcp --dport 42 -i bar -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -I INPUT -p tcp --dport 42 -i bar -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -D INPUT -p tcp --dport 42 -j REJECT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -A INPUT -p tcp --dport 42 -j REJECT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -D INPUT -p tcp --dport 42 -j DROP')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('iptables -A INPUT -p tcp --dport 42 -j DROP')
|
2019-01-21 10:49:14 +00:00
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -D INPUT -p tcp --dport 42 -i foo -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -I INPUT -p tcp --dport 42 -i foo -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -D INPUT -p tcp --dport 42 -i bar -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -I INPUT -p tcp --dport 42 -i bar -j ACCEPT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -D INPUT -p tcp --dport 42 -j REJECT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -A INPUT -p tcp --dport 42 -j REJECT')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -D INPUT -p tcp --dport 42 -j DROP')
|
|
|
|
expect(iptables.execAsync).to.be.calledWith('ip6tables -A INPUT -p tcp --dport 42 -j DROP')
|
2017-11-01 06:47:48 +00:00
|
|
|
.then ->
|
2018-05-03 11:42:51 +00:00
|
|
|
iptables.execAsync.restore()
|