7

We have a fairly complicated iptables/ipchains configuration, which is generated by APF. Traffic to port 80 should be blocked, but our Apache logs show that someone was able to probe for web pages:

[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist:     /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/phpMyAdmin
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/phpmyadmin

Is there a way to simulate a source IP in iptables to debug why packet from 50.57.125.169 didn't get blocked? The -C | --check option seems to only report whether there exists a rule that explicitly matches the IP, but what I'd like to do is (pseudocode)

myserver% iptables --test --source_ip=50.57.125.169 --dest_port=80
Rule #17 matches (ALLOW)    // i.e. this would be the rule that matches

Is there a way to do this?

[edit] One partial solution was to enable TRACE debugging on iptables (cf. https://serverfault.com/a/126078/67472) and use hping3 (thanks Trent) which can spoof a source IP. However, the results are not showing up when the test is run from a different server, and when run from the same server, it goes over the Loopback interface.

Community
  • 1
mrisher
  • 391
  • 1
  • 4
  • 12
  • Check about ip spoofing for your operating system – Hex Feb 09 '13 at 22:37
  • There is no actual Rule #17. That was the "pseudocode" (i.e. my wishlist output) of the command I'm looking for. I have edited the question to make it more clear that "Rule 17" is fiction. – mrisher Feb 11 '13 at 06:53
  • 3
    Wow... wonder why this question closed as not a real question. It's really obvious what's being asked and IMO is a real question. – hookenz Nov 05 '13 at 01:35
  • Thanks, Matt, that's kind of you. I couldn't figure out why either. Unfortunately, I don't have enough Karma to reopen it. – mrisher Nov 06 '13 at 06:10

3 Answers3

6

Could you just use hping to simulate the source IP address of the traffic and then check to see if the traffic is still getting through? Probably not quite what you are looking for but you could do something like

hping3 --syn --destport 80 --count 3 -a test.ip.address webserver.ip.address
trent
  • 3,094
  • 18
  • 17
  • Good idea. I thought using the `-a` option to spoof the source port will make me not get replies; how would it show up if the port was allowed versus blocked? – mrisher Feb 09 '13 at 23:08
  • you would need to look at you application logs to see if the connection was reaching your application – trent Feb 10 '13 at 01:44
1

You can use scapy to spoof your IP address.

1

I know I am not directly addressing the question you asked, but having used APF for quite some time, I could advise you on how to block the IP, in case you used a different approach.

example:to block port 80 for the host 1.2.3.4-add the following line /etc/apf/deny_hosts.rules

    tcp:in:d=80:s=1.2.3.4

In addition to this, in stead of going through the hassle of spoofing source IP, why not try to block the IP address of some client computer under your own control and try to connect from it.

Daniel t.
  • 9,061
  • 1
  • 32
  • 36
  • Thanks for the help, Daniel. I have many of such rules in place, the issue is I'm trying to figure out why someone else snuck through. I'll look into the deny rules again to be sure. – mrisher Feb 10 '13 at 16:43