Bug 111207 - Iptables counters not reflecting any packets on rule
Iptables counters not reflecting any packets on rule
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
1
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-11-29 21:52 EST by Ted Kaczmarek
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-12-02 07:37:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ted Kaczmarek 2003-11-29 21:52:27 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114 Epiphany/1.0.4

Description of problem:
Iptables counters not reflecting packets/bytes for udp on certain
parts of chain.

Version-Release number of selected component (if applicable):
iptables-1.2.8-13

How reproducible:
Always

Steps to Reproduce:
1.Create a 14 line input chain, INPUT DROP, FORWARD and OUTPUT ACCEPT
2. Make 1st INPUT chain lo accept, 2nd inside eth accept, 3rd host src
to udp port in the high range, 4th an ip subnet all accept, 5th an ip
host all accept, three lines accept any for ptp interfaces, 7th allow
icmp any, 8th all  protocol 50, 9th allow all protocol 51, 10 allow
related established, 11 allow smtp, 12 allow ssh, 13 allow udp dns, 14
REJECT --reject-with icmp-host-prohibited, 15 anti spoof rule for
inside subnet.
3. service iptables restart
    

Actual Results:  The third line of the input chain never shows any
hits, yet ethereal does show packets coming in that meet the rule criteria

Expected Results:  Packets come in and counters reflect them.

Additional info:

I took the same src ip dst udp rule, and changed it to src ip to any
and get the same result. If I intiate an icmp echo from firewall to
the same ip the counters do refelct the icmp traffic with the srp ip
any rule.
Inability of firewall counters to reflect traffic should be deemed a
security problem and treated as such.
Comment 1 Ted Kaczmarek 2003-12-02 07:37:13 EST
This problem has gone away, looking at my notes it is likely this is a
pilot error so I will close.

Note You need to log in before you can comment on or make changes to this bug.