Testing iptables setup

Testing iptables setup

[Richard L. Dery]

I have the following setup in my /etc/ppp/ip-up.d directory:

(bash script stuff deleted)

## Create chain which blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block

(You may recognize them from the Packet Filtering HOWTO).

When I run iptables -L after connecting these rules are displayed.

Is there a way to test to show that these rules work?


Thank you.

Dick Dery

Re: Testing iptables setup

[Antony Stone]

On Monday 08 March 2004 3:00 pm, Richard L. Dery wrote:

> I have the following setup in my /etc/ppp/ip-up.d directory:
>
> ## Create chain which blocks new connections, except if coming from inside.
> # iptables -N block
> # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
> # iptables -A block -j DROP
>
> ## Jump to that chain from INPUT and FORWARD chains.
> # iptables -A INPUT -j block
> # iptables -A FORWARD -j block
>
> When I run iptables -L after connecting these rules are displayed.
>
> Is there a way to test to show that these rules work?

I can think of two meanings of the word "work" here:

1. Do they allow the traffic you want?
2. Do they block the traffic you don't want?

I suggest you test them by setting the packet counters to zero ("iptables 
-Z"), then sending some traffic through your firewall which is expected to 
work (eg: browse an Internet website from a LAN client), and make sure you 
see a small increase in the packet counters for the NEW rule in the 
user-defined chain (using "iptables -L -nvx"), and a larger increase in the 
counters for the ESTABLISHED rule (since this is where the reply packets, and 
further request packets, will go after the initial connection is made).

Then try something which should be blocked by the above rules (eg: try to 
connect to your public IP address from somewhere else on the Internet - it 
doesn't matter what protocol you try to use - HTTP, telnet, SSH, POP3 etc 
should all be blocked), and make sure (a) you can't connect, and (b) you see 
some packets build up in the counters for the DROP rule.

If in doubt, put a LOG rule just before the DROP rule, and you'll sson see 
packets from all over the Internet trying to connect to your address, and 
failing :)

Regards,

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Testing iptables setup

[Ted Kaczmarek]

hping and nmap do wonders for me :-)

Ted
On Mon, 2004-03-08 at 15:18 +0000, Antony Stone wrote:

> On Monday 08 March 2004 3:00 pm, Richard L. Dery wrote:
> 
> > I have the following setup in my /etc/ppp/ip-up.d directory:
> >
> > ## Create chain which blocks new connections, except if coming from inside.
> > # iptables -N block
> > # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> > # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
> > # iptables -A block -j DROP
> >
> > ## Jump to that chain from INPUT and FORWARD chains.
> > # iptables -A INPUT -j block
> > # iptables -A FORWARD -j block
> >
> > When I run iptables -L after connecting these rules are displayed.
> >
> > Is there a way to test to show that these rules work?
> 
> I can think of two meanings of the word "work" here:
> 
> 1. Do they allow the traffic you want?
> 2. Do they block the traffic you don't want?
> 
> I suggest you test them by setting the packet counters to zero ("iptables 
> -Z"), then sending some traffic through your firewall which is expected to 
> work (eg: browse an Internet website from a LAN client), and make sure you 
> see a small increase in the packet counters for the NEW rule in the 
> user-defined chain (using "iptables -L -nvx"), and a larger increase in the 
> counters for the ESTABLISHED rule (since this is where the reply packets, and 
> further request packets, will go after the initial connection is made).
> 
> Then try something which should be blocked by the above rules (eg: try to 
> connect to your public IP address from somewhere else on the Internet - it 
> doesn't matter what protocol you try to use - HTTP, telnet, SSH, POP3 etc 
> should all be blocked), and make sure (a) you can't connect, and (b) you see 
> some packets build up in the counters for the DROP rule.
> 
> If in doubt, put a LOG rule just before the DROP rule, and you'll sson see 
> packets from all over the Internet trying to connect to your address, and 
> failing :)
> 
> Regards,
> 
> Antony.
> 
> -- 
> The words "e pluribus unum" on the Great Seal of the United States are from a 
> poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
> dressing.
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
>