Page 1 of 2

iptables "DROP 0 packets"

Posted: 2020/12/05 14:35:55
by driesp
Hi

I have searched for this on google, but could not find any help.

I seem to notice this issue on new Centos 8.2 installations.
Older installations originally installed on Centos 8.1 and upgraded to 8.2 do not seem to have this.
I think this is the case.

The command
iptables -L -n -v
normally should show the dropped packets, but the counter stays at 0 for new Centos 8.2 installations.
If your INPUT policy is DROP, that counter should go up if it drops packets, but it does not on new installations.

example on an originally centos 8.2 installation:

Code: Select all

[root@server ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
example on an originally centos 8.1 installation:

Code: Select all

[root@server ~]# iptables -L -n -v
Chain INPUT (policy DROP 39 packets, 1748 bytes)
Am I missing a config parameter?

Kr

Re: iptables "DROP 0 packets"

Posted: 2020/12/05 15:07:03
by jlehtone
Look at the whole ruleset with

Code: Select all

sudo nft list ruleset
What differences are there between 8.1 and 8.2?

Re: iptables "DROP 0 packets"

Posted: 2020/12/05 17:16:57
by TrevorH
It'll only increase the DROP counter if it falls through the rules and exits without matching. If you have a catch-all rule in place as the last one then it will not increment the policy drop counter.

Re: iptables "DROP 0 packets"

Posted: 2020/12/05 17:28:21
by driesp
Thank you for your response.

I had to install nftables for this on both machines.
I don't see any significant differences, except for some unimportant rules, both are different machines.

An example iptables ruleset I use to accept only local traffic and connections that are originated from the local machine:

Code: Select all

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
If an external IP tries to connect, the dropped packets should increase, but it does not on an originally installed Centos 8.2.

Kr

Re: iptables "DROP 0 packets"

Posted: 2020/12/05 22:44:49
by jlehtone
Let recap.
* You have installed one machine with 8.1. Then updated
* You have installed another machine with 8.2.
* Both have now same packages, same versions.
* You have applied same firewall rules (in iptables syntax)
* The actual ruleset (in nftables syntax) does differ.

Assuming all those to be true, you must have created some customization in the 8.1 that remains after update with 8.2's package version.

What does the "nft list ruleset" look like? (I'm curious to see how the "iptables" wrapper interprets your iptables ruleset.)

Re: iptables "DROP 0 packets"

Posted: 2021/01/24 20:10:25
by driesp
Hi

The rules in iptables have no impact.
You can always reproduce this regardless on the configured iptables rules.
Even if the policy is ACCEPT, the accept counters do not increase.

An originally installed centos 8.1 installation shows me the dropped packets via

Code: Select all

[root@test ~]# iptables -L -n -v
Chain INPUT (policy DROP 414K packets, 20M bytes)
If you apply the same iptables ruleset on an originally installed centos 8.2, the counter stays zero.

Code: Select all

[root@test ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
There could be a change in a config parameter somewhere, but I don't know where to look.

Kr
Dries

Re: iptables "DROP 0 packets"

Posted: 2021/01/24 20:20:00
by jlehtone
The iptables -L is not sufficient to tell what you have. It shows only some rules.
ntf list ruleset shows all rules.

Re: iptables "DROP 0 packets"

Posted: 2021/01/24 21:03:53
by driesp
I don't see any important changes between the machines with the command ntf list ruleset.

I have erased the IP adresses.

Rules on a originally 8.1 machine, (drop and accept counter increases)

Code: Select all

[root@test ~]# nft list ruleset
table ip6 filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                ct state related,established counter packets 11998004 bytes 1168369243 accept
                iifname "lo" counter packets 4 bytes 196 accept
                iifname "eth0" counter packets 20735 bytes 1492920 accept
                ip6 saddr 9999:9999::/29 counter packets 31 bytes 2480 accept
                meta l4proto ipv6-icmp counter packets 30566 bytes 2124072 accept
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}
table ip6 mangle {
        chain PREROUTING {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain INPUT {
                type filter hook input priority mangle; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority mangle; policy accept;
        }

        chain OUTPUT {
                type route hook output priority mangle; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
        }
}
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                ct state related,established counter packets 355506 bytes 33482442 accept
                iifname "lo" counter packets 4 bytes 116 accept
                iifname "eth0" counter packets 10550 bytes 352455 accept
                ip saddr 999.999.999.999/22 counter packets 9 bytes 1136 accept
                ip saddr 999.999.999.999 counter packets 4 bytes 272 accept
                ip saddr 999.999.999.999 counter packets 0 bytes 0 accept
                meta l4proto tcp @nh,96,24 12174011 tcp dport 9999 counter packets 0 bytes 0 accept
                meta l4proto icmp counter packets 33525 bytes 2642697 accept
                meta l4proto udp udp dport 33400-33564 counter packets 1 bytes 188 reject
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}
table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
        }
}
table ip mangle {
        chain PREROUTING {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain INPUT {
                type filter hook input priority mangle; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority mangle; policy accept;
        }

        chain OUTPUT {
                type route hook output priority mangle; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
        }
}
And on a 8.2 machine (drop and accept counters do not increase)

Code: Select all

table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                ct state related,established counter packets 3560828 bytes 742940952 accept
                iifname "lo" counter packets 1035 bytes 30015 accept
                ip saddr 999.999.999.999/22 counter packets 110134 bytes 9410509 accept
                meta l4proto udp udp dport 999 counter packets 26934682 bytes 2013155975 accept
                meta l4proto tcp tcp dport 999 counter packets 176379 bytes 10270315 accept
                meta l4proto icmp counter packets 1032959 bytes 37935166 accept
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}
table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
        }
}
table ip mangle {
        chain PREROUTING {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain INPUT {
                type filter hook input priority mangle; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority mangle; policy accept;
        }

        chain OUTPUT {
                type route hook output priority mangle; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
        }
}
table ip6 filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                ct state related,established counter packets 1534923 bytes 301369617 accept
                iifname "lo" counter packets 1034 bytes 50666 accept
                ip6 saddr 9999:9999::/29 counter packets 205002 bytes 21876661 accept
                meta l4proto udp udp dport 53 counter packets 10872887 bytes 1047095089 accept
                meta l4proto tcp tcp dport 53 counter packets 90967 bytes 6769164 accept
                meta l4proto ipv6-icmp counter packets 353929 bytes 24573790 accept
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}
table ip6 mangle {
        chain PREROUTING {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain INPUT {
                type filter hook input priority mangle; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority mangle; policy accept;
        }

        chain OUTPUT {
                type route hook output priority mangle; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
        }
}
Kr
Dries

Re: iptables "DROP 0 packets"

Posted: 2021/01/25 12:23:41
by jlehtone
That is baffling. Both have "type filter hook input" chain for IPv4 only in "table ip filter".
That is the chain "INPUT" that the "iptables -L" does show.

On a machine that runs firewalld that table&chain exists, but are empty:

Code: Select all

table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

The system was installed with 8.0 and does currently have 8.3 (as every up to date system should).
Counters do show:

Code: Select all

$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 6366 packets, 2119K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3467 packets, 888K bytes)
 pkts bytes target     prot opt in     out     source               destination    

I wonder where does that statistic come from? Not from netfilter; counters are optional there.

Debian's iptables-1.8.2 has had a bug of not counting:
https://serverfault.com/questions/98729 ... ult-policy

Re: iptables "DROP 0 packets"

Posted: 2021/01/26 11:43:33
by driesp
Thank you for the nudge in the right direction.

I have added these rules in the beginning of my iptables script
iptables -Z
iptables -t nat -Z
iptables -t mangle -Z
ip6tables -Z
ip6tables -t mangle -Z

These commands zero out the counters.
The counters do work now.

Kr
Dries