Recipe 2.21 Testing a Firewall Configuration :: Chapter 2. Firewalls with iptables and ipchains :: Linux security :: Linux systems

Recipe 2.21 Testing a Firewall Configuration

2.21.1 Problem

You want to create and test an ipchains configuration nondestructively, i.e., without affecting your active firewall.

2.21.2 Solution

Using ipchains, create a chain for testing:

# ipchains -N mytest

Insert your rules into this test chain:

# ipchains -A mytest ...
# ipchains -A mytest ....

Specify a test packet:

SA=source_address
SP=source_port
DA=destination_address
DP=destination_port
P=protocol
I=interface

Simulate sending the packet through the test chain:

# ipchains -v -C mytest -s $SA --sport $SP -d $DA --dport $DP -p $P -i $I

At press time, iptables does not have a similar feature for testing packets against rules. iptables 1.2.6a has a -C option and provides this teaser:

# iptables -v -C mytest -p $P -s $SA --sport $SP -d $DA --dport $DP -i $I
iptables: Will be implemented real soon. I promise ;)

but the iptables FAQ (http://www.netfilter.org/documentation/FAQ/netfilter-faq.html) indicates that the feature might never be implemented, since checking a single packet against a stateful firewall is meaningless: decisions can depend on previous packets.

2.21.3 Discussion

This process constructs a packet with its interface, protocol, source, and destination. The response is either "accepted," "denied," or "passed through chain" for user-defined chains. With -v, you can watch each rule match or not.

The mandatory parameters are:

-C chain_name
-s source_addr --sport source_port
-d dest_addr --dport dest_port
-p protocol
-i interface_name

For a more realistic test of your firewall, use nmap to probe it from a remote machine. [Recipe 9.13]

2.21.4 See Also

ipchains(8).