I use tcpdump to capture output packets for one server, but I also need to block these packets.
If I use iptables to block them, then I also can not capture anything.
Can I block packets with iptables and still capture the packets before they are dropped?
I'd use a passive (un-addressed) interface to capture, and a second interface (addressed) to block.
To setup an interface for capture, without an address, you do:
ifconfig eth0 up
You may need to hack on your switch to make this all fly, but the essence is: mirror all traffic to both interfaces (i.e. switch ports), and then capture on the one, and filter on the other.
if i understand, you want to block connection but capture packets.
you can do this by using MARKS
for example if you want block connection for host 192.168.10.1 with connection 192.168.10.2(*nix) you can do with this
iptables -t mangle -A PREROUTING -s 192.168.10.1 -j CONNMARK --set-mark 1
iptables -t mangle -A POSTROUTING -m connmark --mark 1 -j DROP
You could use a fairly simple snort ruleset to "log" packets as well as drop or refuse them: Snort. However, there are several prerequisites and it is yet another syntax to learn so there is quite an overhead. Snort :: Docs has quick-start guides for several different operating systems.
You cannot block packets on the raw socket, because there is no filter for it currently. Above all, the raw socket gets the packet, in fact, even a copy of the packet, before the IPv4 tap and iptables do get theirs.
