When writing an iptables save file by hand, how does one calculate the packet-counter and byte-counter values?

2

I am attempting to write a 22MB iptables rule-set file, the very kind that is generated with the iptables-save command, except endlessly long. Understandably, this takes a prohibitive amount of time. Take this miniature example.

*filter
:INPUT ACCEPT [64:4692]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [72:28512]
-A INPUT -p tcp -m tcp --sport 9000:9004 -m iprange --src-range 127.0.0.1-127.0.0.1 -j DROP
COMMIT

Following (INPUT|OUTPUT|FORWARD) ACCEPT, there appear value ranges.

:< chain-name > < chain-policy > [< packet-counter >:< byte-counter >]

These seem dependent on something already stored within iptables on the use of iptables-save, but, since loading the rules into iptables is the problem in the first place, I am unsure how to acquire these values, that I may enter them by hand (by vim, rather), into the final rule-set file.

How might one go about calculating these values? Is it possible without running another iptables command?

ca2longoria

Posted 2014-02-11T00:00:37.257

Reputation: 23

If you are trying to block large amounts of IP ranges, look into nfblock which will make your life a lot easier. – LawrenceC – 2014-02-11T02:03:37.720

Answers

1

Unless you are using the counters in one of your rules, or need the counters for some other purpose (billing etc), I would just omit them as follows:

*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --sport 9000:9004 -m iprange --src-range 127.0.0.1-127.0.0.1 -j DROP
COMMIT

It is possible to see the current counter values using the iptables --list command.

iptables -L -v -x

Note that the counters change as packets are passed down the rules chains, so as soon as you read the counters they may be changed by an incoming or outgoing packet.

Gregor

Posted 2014-02-11T00:00:37.257

Reputation: 842

So to verify, I may leave the pair of counters out, entirely? :INPUT ACCEPT :FORWARD ACCEPT ... Like that? – ca2longoria – 2014-02-11T15:55:03.387

Yes, just leave them out (updated answer). – Gregor – 2014-02-11T18:57:55.833

Asked: 2014-02-11T00:00:37.257

Viewed: 513 times

Active: 2016-07-28T02:28:46.460