[PLUG] Testing iptables rules

plug_0 at robinson-west.com plug_0 at robinson-west.com
Thu Mar 2 05:31:29 UTC 2006


Quoting Michael Rasmussen <mikeraz at patch.com>:

> Keith Lofstrom wrote:
> > iptables rules are complex, and usually the only way to test them
> > is to "go live" with them.  Are there any good offline parsers or
> > simulators for iptables rulesets? 
> > 
> > Ideally, it would be a tool that could read in the rulesets, and
> > a script to generate ip packets on various simulated interfaces,
> > then display them traversing the rules.
> 
> 
> Assuming you have a test box or two  . . . 
> 
> Load up your iptables rules on one, *
> set up another configured to treat #1 as the gateway
> use Netcat
> or  nemisis
> or  ip sorcery
> or  _____ to generate traffic
> 
> view the logs to see if it's doing what you want.
> 
> * modified to log everything.
> 
Using iptables -A INPUT -j LOG --log-prefix="...: " seems to help.  
Except for one major headache on my Fedora Core 3 system, undesired 
logging to the console.  Nothing like trying to vim in one Xterm 
while you watch /var/log/messages on another only to have the 
messages muddy up your editing window.  I could use good 
documentation on how to prevent logging to the screen for 
Redhat and Fedora systems.  I don't know if this happens a lot 
because of bugs or if there is a simple change that can be done 
to syslog.conf.  Maybe the kernel logger is to blame, but where 
is the kernel logger's config file???  This problem doesn't seem
to really be distro specific.

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/



More information about the PLUG mailing list