Will tcpdump see packets that are being dropped by iptables?

Question

I have a firewall with these simple rules:

iptables -A INPUT -p tcp -s 127.0.0.1/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.16.20/32 --dport 6000 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000 -j REJECT

Now, suppose I am using TCPDUMP like this:

tcpdump port 6000

And I have host 192.168.16.21 trying to connect to port 6000.

Will/should tcpdump output some packets coming from 192.168.16.21?

score 34 · Accepted Answer · answered Feb 09 '11 at 14:54

34

tcpdump uses libpcap and libpcap processes packets before they get processed by the firewall, so the answer is "yes".

answered Feb 09 '11 at 14:54

Alex

7,789
4
36
51

28

This is only partially true. `tcpdump` will see inbound traffic before `iptables`, but will see outbound traffic only after the firewall has processed it. See https://superuser.com/q/925286/18898 – chb May 19 '17 at 10:05
so is there away to drop incoming packets from a specific IP so that even tcpdump won't even see them? – 23r23f23q Feb 15 '22 at 22:25

Will tcpdump see packets that are being dropped by iptables?

1 Answers1

Linked

Related