Debugging iptables Rules: How to Simulate Source IP Traffic for Firewall Testing


4 views

When troubleshooting firewall issues, standard iptables commands like iptables -C only check if a rule exists, not how packets actually traverse your rule chain. Consider this common scenario:

# This only checks rule existence
iptables -C INPUT -s 50.57.125.169 -p tcp --dport 80 -j DROP

What we really need is a way to simulate real packet flow through the entire ruleset.

Here are three effective approaches for testing iptables rules with custom source IPs:

Method 1: Using hping3 for Spoofed Packets

# From a remote test machine:
hping3 -S -p 80 -a 50.57.125.169 your.server.ip

Key flags:
-S for SYN packet (TCP handshake)
-a to spoof source address
• Monitor results with tcpdump or firewall logs

Method 2: Local Testing with TRACE Target

First enable tracing:

modprobe nf_log_ipv4
sysctl net.netfilter.nf_log.2=nf_log_ipv4
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE

Then test with loopback traffic:

curl --interface lo --header "Host:" http://127.0.0.1/

Method 3: Network Namespace Testing

For more advanced isolation:

ip netns add testns
ip netns exec testns bash
ip addr add 50.57.125.169/32 dev lo
curl --interface lo http://your.real.ip/

When testing, look for these common issues:

  • Rules being overridden by later ACCEPT rules
  • Interface-specific rules that don't match your test path
  • Connection tracking (conntrack) bypassing rules
  • Default policy being permissive

For repeatable testing, save this script as fwtest.sh:

#!/bin/bash
TEST_IP="50.57.125.169"
TARGET_PORT=80

echo "[+] Testing from $TEST_IP to port $TARGET_PORT"
hping3 -c 1 -S -p $TARGET_PORT -a $TEST_IP YOUR_SERVER_IP 2>&1 | grep -E "flags=|packets"

echo "[+] Checking kernel logs:"
dmesg | tail -n 10 | grep TRACE

echo "[+] Current connection state:"
conntrack -L | grep $TARGET_PORT

For Python enthusiasts, Scapy provides granular control:

from scapy.all import *
ip = IP(src="50.57.125.169", dst="YOUR_SERVER_IP")
tcp = TCP(dport=80, flags="S")
send(ip/tcp, verbose=1)

Remember to check your firewall logs after each test method to see how the packets were processed through your rule chain.

Debugging complex iptables configurations can be tricky when unexpected traffic slips through. In this case, we need to test why HTTP requests from 50.57.125.169 reached Apache despite firewall rules that should block port 80 traffic.

First, enable packet tracing in iptables to see rule processing:

# Add TRACE rule for specific IP
iptables -t raw -A PREROUTING -s 50.57.125.169 -j TRACE

# View logs (kernel messages)
dmesg -w | grep TRACE

This will show you exactly which chain and rule numbers process packets from the test IP.

From a remote test machine (not the target server), generate spoofed packets:

# Test TCP/80 connection attempt
hping3 -S -p 80 -a 50.57.125.169 your.server.ip

# For UDP tests
hping3 --udp -p 53 -a 50.57.125.169 your.server.ip

Combine this with the TRACE method above to monitor rule processing.

For testing on the local machine (though this uses loopback interface):

# Create test namespace
ip netns add testns

# Add virtual interface
ip link add veth0 type veth peer name veth1
ip link set veth1 netns testns

# Assign test IP
ip netns exec testns ip addr add 50.57.125.169/32 dev veth1
ip netns exec testns ip link set veth1 up

# Test connection
ip netns exec testns curl http://your.server.ip

To verify which rules would match without sending real packets:

iptables -L -v -n | grep 50.57.125.169
iptables -S | grep 80

For more detailed analysis of rule processing order:

iptables -L -n --line-numbers
  • Rules in wrong chain (INPUT vs FORWARD)
  • Earlier ACCEPT rules taking precedence
  • Interface-specific rules not matching test traffic
  • Connection tracking (conntrack) bypassing rules

Here's a basic script to test multiple rules:

#!/bin/bash
TEST_IP="50.57.125.169"
TARGET_IP="your.server.ip"
PORT=80

echo "Testing iptables rules for $TEST_IP:$PORT"

# Clear previous TRACE rules
iptables -t raw -F

# Add TRACE rule
iptables -t raw -A PREROUTING -s $TEST_IP -j TRACE

# Generate test traffic
hping3 -S -p $PORT -a $TEST_IP $TARGET_IP -c 1 >/dev/null 2>&1

# Display matched rules
dmesg | grep TRACE | tail -n 10