You want to create and test an ipchains configuration nondestructively, i.e., without affecting your active firewall.
Using ipchains, create a chain for testing:
# ipchains -N mytest
Insert your rules into this test chain:
# ipchains -A mytest ... # ipchains -A mytest ....
Specify a test packet:
SA=source_address SP=source_port DA=destination_address DP=destination_port P=protocol I=interface
Simulate sending the packet through the test chain:
# ipchains -v -C mytest -s $SA --sport $SP -d $DA --dport $DP -p $P -i $I
At press time, iptables does not have a similar feature for testing packets against rules. iptables 1.2.6a has a -C option and provides this teaser:
# iptables -v -C mytest -p $P -s $SA --sport $SP -d $DA --dport $DP -i $I iptables: Will be implemented real soon. I promise ;)
but the iptables FAQ (http://www.netfilter.org/documentation/FAQ/netfilter-faq.html) indicates that the feature might never be implemented, since checking a single packet against a stateful firewall is meaningless: decisions can depend on previous packets.
This process constructs a packet with its interface, protocol, source, and destination. The response is either "accepted," "denied," or "passed through chain" for user-defined chains. With -v, you can watch each rule match or not.
The mandatory parameters are:
-C chain_name -s source_addr --sport source_port -d dest_addr --dport dest_port -p protocol -i interface_name
For a more realistic test of your firewall, use nmap to probe it from a remote machine. [Recipe 9.13]