The rc.test-iptables.txt script can be used to test all the different
chains, but it might need some tweaking depending on your configuration, such
as turning on ip_forwarding, and setting up
masquerading etc. It will work for most everyone
who has all the basic set up and all the basic tables loaded into kernel.
All it really does is set some LOG targets which will log
ping replies and ping requests. This way, you will get information on which
chain was traversed and in which order. For example, run this script and then
ping -c 1 host.on.the.internet
And tail -n 0 -f /var/log/messages while doing the first
command. This should show you all the different chains used, and in which order,
unless the log entries are swapped around for some reason.
This script was written for testing purposes only. In other words,
it's not a good idea to have rules like this that log everything of one sort
since your log partitions might get filled up quickly and it would be an
effective Denial of Service attack against you and might lead to real attacks on
you that would be unlogged after the initial Denial of Service attack.