34

I have a firewall with these simple rules:

iptables -A INPUT -p tcp -s 127.0.0.1/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.16.20/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000 -j REJECT

Now, suppose I am using TCPDUMP like this:

tcpdump port 6000

And I have host 192.168.16.21 trying to connect to port 6000.

Will/should tcpdump output some packets coming from 192.168.16.21?

GregL
  • 9,030
  • 2
  • 24
  • 35
Pablo Santa Cruz
  • 1,084
  • 4
  • 18
  • 24

1 Answers1

34

tcpdump uses libpcap and libpcap processes packets before they get processed by the firewall, so the answer is "yes".

Alex
  • 7,789
  • 4
  • 36
  • 51
  • 28
    This is only partially true. `tcpdump` will see inbound traffic before `iptables`, but will see outbound traffic only after the firewall has processed it. See https://superuser.com/q/925286/18898 – chb May 19 '17 at 10:05
  • so is there away to drop incoming packets from a specific IP so that even tcpdump won't even see them? – 23r23f23q Feb 15 '22 at 22:25