[PLUG] Testing iptables rules
Charles Sliger
chaz at bctonline.com
Sat Mar 4 00:39:42 UTC 2006
-----Original Message-----
From: plug-bounces at lists.pdxlinux.org
[mailto:plug-bounces at lists.pdxlinux.org] On Behalf Of
plug_0 at robinson-west.com
Sent: Wednesday, March 01, 2006 9:31 PM
To: General Linux/UNIX discussion and help; civil and on-topic
Subject: Re: [PLUG] Testing iptables rules
Quoting Michael Rasmussen <mikeraz at patch.com>:
> Keith Lofstrom wrote:
> > iptables rules are complex, and usually the only way to test them
> > is to "go live" with them. Are there any good offline parsers or
> > simulators for iptables rulesets?
> >
> > Ideally, it would be a tool that could read in the rulesets, and
> > a script to generate ip packets on various simulated interfaces,
> > then display them traversing the rules.
>
>
> Assuming you have a test box or two . . .
>
> Load up your iptables rules on one, *
> set up another configured to treat #1 as the gateway
> use Netcat
> or nemisis
> or ip sorcery
> or _____ to generate traffic
>
> view the logs to see if it's doing what you want.
>
> * modified to log everything.
>
Using iptables -A INPUT -j LOG --log-prefix="...: " seems to help.
Except for one major headache on my Fedora Core 3 system, undesired
logging to the console. Nothing like trying to vim in one Xterm
while you watch /var/log/messages on another only to have the
messages muddy up your editing window. I could use good
documentation on how to prevent logging to the screen for
Redhat and Fedora systems. I don't know if this happens a lot
because of bugs or if there is a simple change that can be done
to syslog.conf. Maybe the kernel logger is to blame, but where
is the kernel logger's config file??? This problem doesn't seem
to really be distro specific.
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
[chaz> ] Mike,
Yes, klogd is the culprit. Make the following config change:
/etc/sysconfig/syslog
KLOGD_OPTIONS="-x -c 3"
Sets the default console log level to 3 (ERR).
This stops iptables log messages from being displayed on the console.
Regards,
Chaz
Charles L. Sliger, Information Systems Engineer, chaz at bctonline.com
"No matter where you go, there you are..."
More information about the PLUG
mailing list