We have a fairly complicated iptables/ipchains configuration, which is generated by APF. Traffic to port 80 should be blocked, but our Apache logs show that someone was able to probe for web pages:
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/phpMyAdmin
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/phpmyadmin
Is there a way to simulate a source IP in iptables to debug why packet from 50.57.125.169
didn't get blocked? The -C | --check
option seems to only report whether there exists a rule that explicitly matches the IP, but what I'd like to do is (pseudocode)
myserver% iptables --test --source_ip=50.57.125.169 --dest_port=80
Rule #17 matches (ALLOW) // i.e. this would be the rule that matches
Is there a way to do this?
[edit]
One partial solution was to enable TRACE
debugging on iptables (cf. https://serverfault.com/a/126078/67472) and use hping3
(thanks Trent) which can spoof a source IP. However, the results are not showing up when the test is run from a different server, and when run from the same server, it goes over the Loopback interface.