4

I have the following rule in our iptables config file /etc/sysconfig/iptables

-A INPUT -s 84.23.99.97 -j DROP

And when I do iptables --list I get the following

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  84.23.99.97          anywhere


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

However, if I do a tcpdump I can still see all these traffic from this ip, why?

tcpdump -ttttn tcp port 1234 | grep 84.23.99.97
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2010-10-21 23:49:33.828011 IP 84.23.99.97.9061 > myip: Flags [S], seq 3522466008, win 65535, options [mss 1460,sackOK,eol], length 0
2010-10-21 23:49:33.832182 IP 84.23.99.97.64804 > myip: Flags [S], seq 1088176500, win 65535, options [mss 1460,sackOK,eol], length 0
....
erotsppa
  • 2,033
  • 6
  • 23
  • 24

2 Answers2

5

tcpdump sees inbound traffic before it hits iptables. In your example above this explains why you see inbound SYNs but not SYN/ACKs from your machine.

Gerald Combs
  • 6,331
  • 23
  • 35
  • Whats a good way to know if the actual traffic is dropped then? – erotsppa Oct 22 '10 at 00:39
  • 4
    You can configure a `-j LOG` target that sends information about the matching (dropped) packets to the system log. Also, when you list the iptables rules with `iptables -L -v -n`, if you see non-zero counts next to your DROP rule, then you know that packets were matched (and hence DROPed) by that rule. – Steven Monday Oct 22 '10 at 00:47
0

You need to save your rules. Maybe you did, but didn't mention it? If not try this: % sudo /sbin/service iptables save

This exports the rules currently used and starts the firewall. Regardless of what you have in /etc/sysconfig/iptables this will tell you what the firewall is actually using.

IAPaddler
  • 161
  • 4