[ Team LiB ] |
Recipe 2.21 Testing a Firewall Configuration2.21.1 ProblemYou want to create and test an ipchains configuration nondestructively, i.e., without affecting your active firewall. 2.21.2 SolutionUsing ipchains, create a chain for testing: # ipchains -N mytest Insert your rules into this test chain: # ipchains -A mytest ... # ipchains -A mytest .... Specify a test packet: SA=source_address SP=source_port DA=destination_address DP=destination_port P=protocol I=interface Simulate sending the packet through the test chain: # ipchains -v -C mytest -s $SA --sport $SP -d $DA --dport $DP -p $P -i $I At press time, iptables does not have a similar feature for testing packets against rules. iptables 1.2.6a has a -C option and provides this teaser: # iptables -v -C mytest -p $P -s $SA --sport $SP -d $DA --dport $DP -i $I iptables: Will be implemented real soon. I promise ;) but the iptables FAQ (http://www.netfilter.org/documentation/FAQ/netfilter-faq.html) indicates that the feature might never be implemented, since checking a single packet against a stateful firewall is meaningless: decisions can depend on previous packets. 2.21.3 DiscussionThis process constructs a packet with its interface, protocol, source, and destination. The response is either "accepted," "denied," or "passed through chain" for user-defined chains. With -v, you can watch each rule match or not. The mandatory parameters are: -C chain_name -s source_addr --sport source_port -d dest_addr --dport dest_port -p protocol -i interface_name For a more realistic test of your firewall, use nmap to probe it from a remote machine. [Recipe 9.13] 2.21.4 See Alsoipchains(8). |
[ Team LiB ] |