If you trust your ability to write the rules, and just want to verify the rule is present... you can use the -C flag
#iptables -C INPUT -p tcp --dport 80 -J ACCEPT iptables: Bad rule (does a matching rule exist in that chain?). # echo $? 1 That would let you ensure the rules you want are present. Not the same as property exercising the rules of course --Craig Constantine, http://constantine.name On Jun 28, 2013, at 2:02 PM, Tom Limoncelli <[email protected]> wrote: Hi! I'd like to write "unit tests" for my firewall rules. I used to do this with FreeBSD but I haven't found a similar tool for Linux. Any suggestions? In particular, on FreeBSD there was a utility that simulated the firewall system. You could give it a list of rules, a packet's source/dest/ports, and it would return "DROP" or "ALLOW". The Makefile I used for maintaining my firewall rules ran a couple scripts that tested basic functionality (was port X blocked, was port Y permitted). That way if I totally messed up the ruleset it wouldn't be installed. For Linux I found http://sourceforge.net/projects/iptview (IPTview) which seems to have been abandoned in 2005. It creates a graphical view of the rules; not a simple "permit/deny" output. However that's the best I've found so far. Does anyone know if such a thing exists? Thanks! Tom -- Email: [email protected] Skype: YesThatTom Blog: http://EverythingSysadmin.com ⬤ . . : . ) ● ● ● ● _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
