8

I have a question about how to test the firewall rules. To be more specific, for academic purpose I have to set up a machine which will accept all kind of packets o a specific interface.

I added an IP Table rule:

sudo iptables –A INPUT –i eth0 –j ACCEPT

I need a practical prove that this interface accept all kind of packets. Does anyone know a specific way or tool which can help me. I can't find anything better than 

nmap -p 80 <ipAddress>

or

nmap - sU <ipAddress>

Or maybe somebody can propose a better solution to prove that the interface accepts all kind of packets.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Alex
  • 412
  • 1
  • 8
  • 14

2 Answers2

10

In most cases doing an nmap -p 0-65535 -PN <ip> works well for testing a remote firewall's TCP rulesets. If you want something more advanced you can use a packet crafter like hping which is designed to test firewall rulesets. Here is some information on building packets with hping.

rook
  • 46,916
  • 10
  • 92
  • 181
3

You can also implement logging function in your iptables using -j LOG option and modifying your OS to generate a log file, I do this for new installation of PBX.

iptables -N SIP-Firewall
iptables -A SIP-Firewall -s 110.10.0.0/255.255.255.0 -j ACCEPT
iptables -A SIP-Firewall -s 204.9.161.164 -j ACCEPT
iptables -A SIP-Firewall -s 63.209.144.201 -j ACCEPT
iptables -A SIP-Firewall -s 66.54.140.46 -j ACCEPT
iptables -A SIP-Firewall -m string --string "tel:" --algo bm --to 65 -j DROP
iptables -A SIP-Firewall -m string --string "OPTIONS sip:" --algo bm --to 65 -j ACCEPT
iptables -A SIP-Firewall -m string --string "INVITE sip:" --algo bm --to 65 -m hashlimit --hashlimit 4/min --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name sip_i_limit -j ACCEPT
iptables -A SIP-Firewall -m string --string "REGISTER sip:" --algo bm --to 65 -m hashlimit --hashlimit 2/min --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name sip_r_limit -j ACCEPT
iptables -A SIP-Firewall -m hashlimit --hashlimit 10/min --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name sip_o_limit -j ACCEPT
iptables -A SIP-Firewall -j LOG
iptables -A SIP-Firewall -j DROP



vi /etc/syslog.conf
kern.warning /var/log/iptables.log
service syslog restart

Some info here:

http://openvz.org/Traffic_accounting_with_iptables

gogasca
  • 131
  • 3