لطفا منتظر باشید ...
Recipe 2.21 Testing a Firewall Configuration
2.21.1 Problem
You want to create and test an
ipchains configuration nondestructively, i.e.,
without affecting your active firewall.
2.21.2 Solution
Using
ipchains, create a chain for
testing:
# ipchains -N mytest
Insert your rules into this test chain:
# ipchains -A mytest ...
# ipchains -A mytest ....
Specify a test packet:
SA=source_address
SP=source_port
DA=destination_address
DP=destination_port
P=protocol
I=interface
Simulate sending the packet through the test chain:
# ipchains -v -C mytest -s $SA --sport $SP -d $DA --dport $DP -p $P -i $I
At press time,
iptables does not have a
similar feature for testing packets against rules.
iptables 1.2.6a has a -C option
and provides this teaser:
# iptables -v -C mytest -p $P -s $SA --sport $SP -d $DA --dport $DP -i $I
iptables: Will be implemented real soon. I promise ;)
but the iptables FAQ (http://www.netfilter.org/documentation/FAQ/netfilter-faql)
indicates that the feature might never be implemented, since checking
a single packet against a stateful firewall is
meaningless: decisions can depend on previous packets.
2.21.3 Discussion
This process constructs a packet with its interface, protocol,
source, and destination. The response is either
"accepted,"
"denied," or
"passed through chain" for
user-defined chains. With -v, you can watch each
rule match or not.The mandatory parameters are:
-C chain_name
-s source_addr --sport source_port
-d dest_addr --dport dest_port
-p protocol
-i interface_name
For a more realistic test of your firewall, use
nmap to probe it from a remote machine. [Recipe 9.13]
2.21.4 See Also
ipchains(8).
