iptables "DROP 0 packets"

Issues related to configuring your network
Post Reply
driesp
Posts: 8
Joined: 2015/06/25 13:31:10

iptables "DROP 0 packets"

Post by driesp » 2020/12/05 14:35:55

Hi

I have searched for this on google, but could not find any help.

I seem to notice this issue on new Centos 8.2 installations.
Older installations originally installed on Centos 8.1 and upgraded to 8.2 do not seem to have this.
I think this is the case.

The command
iptables -L -n -v
normally should show the dropped packets, but the counter stays at 0 for new Centos 8.2 installations.
If your INPUT policy is DROP, that counter should go up if it drops packets, but it does not on new installations.

example on an originally centos 8.2 installation:

Code: Select all

[root@server ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
example on an originally centos 8.1 installation:

Code: Select all

[root@server ~]# iptables -L -n -v
Chain INPUT (policy DROP 39 packets, 1748 bytes)
Am I missing a config parameter?

Kr

User avatar
jlehtone
Posts: 3262
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables "DROP 0 packets"

Post by jlehtone » 2020/12/05 15:07:03

Look at the whole ruleset with

Code: Select all

sudo nft list ruleset
What differences are there between 8.1 and 8.2?

User avatar
TrevorH
Forum Moderator
Posts: 30173
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables "DROP 0 packets"

Post by TrevorH » 2020/12/05 17:16:57

It'll only increase the DROP counter if it falls through the rules and exits without matching. If you have a catch-all rule in place as the last one then it will not increment the policy drop counter.
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

driesp
Posts: 8
Joined: 2015/06/25 13:31:10

Re: iptables "DROP 0 packets"

Post by driesp » 2020/12/05 17:28:21

Thank you for your response.

I had to install nftables for this on both machines.
I don't see any significant differences, except for some unimportant rules, both are different machines.

An example iptables ruleset I use to accept only local traffic and connections that are originated from the local machine:

Code: Select all

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
If an external IP tries to connect, the dropped packets should increase, but it does not on an originally installed Centos 8.2.

Kr

User avatar
jlehtone
Posts: 3262
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables "DROP 0 packets"

Post by jlehtone » 2020/12/05 22:44:49

Let recap.
* You have installed one machine with 8.1. Then updated
* You have installed another machine with 8.2.
* Both have now same packages, same versions.
* You have applied same firewall rules (in iptables syntax)
* The actual ruleset (in nftables syntax) does differ.

Assuming all those to be true, you must have created some customization in the 8.1 that remains after update with 8.2's package version.

What does the "nft list ruleset" look like? (I'm curious to see how the "iptables" wrapper interprets your iptables ruleset.)

Post Reply

Return to “CentOS 8 - Networking Support”