add another test

This commit is contained in:
benedettadavico
2025-11-24 13:41:03 +01:00
parent 2d37c33a3d
commit 26f4dd8f39
@@ -912,10 +912,43 @@ check_nym_exit_chain() {
return $errors
}
check_iptables_default_policies() {
info "checking base iptables default policies (INPUT/FORWARD)"
local issues=0
local input_policy forward_policy
input_policy=$(iptables -S INPUT 2>/dev/null | awk 'NR==1 && $1=="-P" {print $3}')
forward_policy=$(iptables -S FORWARD 2>/dev/null | awk 'NR==1 && $1=="-P" {print $3}')
if [[ -z "${input_policy:-}" ]]; then
error "unable to read INPUT default policy (iptables -S INPUT failed?)"
issues=1
elif [[ "${input_policy^^}" != "DROP" ]]; then
error "INPUT default policy is ${input_policy^^}; expected DROP so traffic is only allowed by explicit rules."
issues=1
else
ok "INPUT default policy is DROP"
fi
if [[ -z "${forward_policy:-}" ]]; then
error "unable to read FORWARD default policy (iptables -S FORWARD failed?)"
issues=1
elif [[ "${forward_policy^^}" != "DROP" ]]; then
error "FORWARD default policy is ${forward_policy^^}; expected DROP to ensure traffic only flows via NYM-EXIT rules."
issues=1
else
ok "FORWARD default policy is DROP"
fi
return $issues
}
check_firewall_setup() {
info "checking ipv4 firewall ordering…"
local errors=0
check_iptables_default_policies || errors=1
check_forward_chain || errors=1
check_nym_exit_chain || errors=1