Hello Tom, I use iptables-save -c to show the packet counts per rule to determine which rules are hitting.
Here is a very basic tool utilizing this feature. http://blackcore.net/source/ipdiff.txt I hope this gets you somewhat towards your desired goal :) Thanks, Ash Palmer -----Original Message----- From: Tom Limoncelli <[email protected]> Sender: [email protected] Date: Fri, 28 Jun 2013 14:02:50 To: LOPSA Discuss List<[email protected]> Subject: [lopsa-discuss] Linux iptables simulator Hi! I'd like to write "unit tests" for my firewall rules. I used to do this with FreeBSD but I haven't found a similar tool for Linux. Any suggestions? In particular, on FreeBSD there was a utility that simulated the firewall system. You could give it a list of rules, a packet's source/dest/ports, and it would return "DROP" or "ALLOW". The Makefile I used for maintaining my firewall rules ran a couple scripts that tested basic functionality (was port X blocked, was port Y permitted). That way if I totally messed up the ruleset it wouldn't be installed. For Linux I found http://sourceforge.net/projects/iptview (IPTview) which seems to have been abandoned in 2005. It creates a graphical view of the rules; not a simple "permit/deny" output. However that's the best I've found so far. Does anyone know if such a thing exists? Thanks! Tom -- Email: [email protected] Skype: YesThatTom Blog: http://EverythingSysadmin.com ⬤ . . : . ) ● ● ● ● _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
