How to simulate a source IP to test which iptables rules are/aren't firing? [closed]
We have a fairly complicated iptables/ipchains configuration, which is generated by APF. Traffic to port 80 should be blocked, but our Apache logs show that someone was able to probe for web pages:
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/phpMyAdmin
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/phpmyadmin
Is there a way to simulate a source IP in iptables to debug why packet from 50.57.125.169
didn't get blocked? The -C | --check
option seems to only report whether there exists a rule that explicitly matches the IP, but what I'd like to do is (pseudocode)
myserver% iptables --test --source_ip=50.57.125.169 --dest_port=80
Rule #17 matches (ALLOW) // i.e. this would be the rule that matches
Is there a way to do this?
[edit]
One partial solution was to enable TRACE
debugging on iptables (cf. https://serverfault.com/a/126078/67472) and use hping3
(thanks Trent) which can spoof a source IP. However, the results are not showing up when the test is run from a different server, and when run from the same server, it goes over the Loopback interface.
Solution 1:
Could you just use hping to simulate the source IP address of the traffic and then check to see if the traffic is still getting through? Probably not quite what you are looking for but you could do something like
hping3 --syn --destport 80 --count 3 -a test.ip.address webserver.ip.address
Solution 2:
You can use scapy
to spoof your IP address.
Solution 3:
I know I am not directly addressing the question you asked, but having used APF for quite some time, I could advise you on how to block the IP, in case you used a different approach.
example:to block port 80 for the host 1.2.3.4-add the following line /etc/apf/deny_hosts.rules
tcp:in:d=80:s=1.2.3.4
In addition to this, in stead of going through the hassle of spoofing source IP, why not try to block the IP address of some client computer under your own control and try to connect from it.