How to simulate a source IP to test which iptables rules are/aren't firing? [closed]

unix firewall iptables

We have a fairly complicated iptables/ipchains configuration, which is generated by APF. Traffic to port 80 should be blocked, but our Apache logs show that someone was able to probe for web pages:

[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist:     /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/phpMyAdmin
[Sun Feb 03 13:08:45 2013] [error] [client 50.57.125.169] File does not exist: /var/www/phpmyadmin

Is there a way to simulate a source IP in iptables to debug why packet from 50.57.125.169 didn't get blocked? The -C | --check option seems to only report whether there exists a rule that explicitly matches the IP, but what I'd like to do is (pseudocode)

myserver% iptables --test --source_ip=50.57.125.169 --dest_port=80
Rule #17 matches (ALLOW)    // i.e. this would be the rule that matches

Is there a way to do this?

[edit] One partial solution was to enable TRACE debugging on iptables (cf. https://serverfault.com/a/126078/67472) and use hping3 (thanks Trent) which can spoof a source IP. However, the results are not showing up when the test is run from a different server, and when run from the same server, it goes over the Loopback interface.


Solution 1:

Could you just use hping to simulate the source IP address of the traffic and then check to see if the traffic is still getting through? Probably not quite what you are looking for but you could do something like

hping3 --syn --destport 80 --count 3 -a test.ip.address webserver.ip.address

Solution 2:

You can use scapy to spoof your IP address.

Solution 3:

I know I am not directly addressing the question you asked, but having used APF for quite some time, I could advise you on how to block the IP, in case you used a different approach.

example:to block port 80 for the host 1.2.3.4-add the following line /etc/apf/deny_hosts.rules

    tcp:in:d=80:s=1.2.3.4

In addition to this, in stead of going through the hassle of spoofing source IP, why not try to block the IP address of some client computer under your own control and try to connect from it.

Related

How Do I Update Apache to 2.2.24 On AWS Instance
What is the (*) in Windows Performance Counters
Best method to clone a Windows server?
FreeBSD undo uppercase characters in username
Forcing Nginx to send Content-Length headers when serving static files with gzip
iptables SSH connection logging
NIS failing to bind
How to correctly ldapmodify replace olcAccess lines?
Cant connect IPv6 linux server via Putty
What is the difference between “Main” mode and “Quick” mode when using IPsec in Windows Server?
GPO software deployment without WMI?
Filezilla/Puttygen doesn't recognize private key file