Red Hat Bugzilla – Bug 111207
Iptables counters not reflecting any packets on rule
Last modified: 2007-11-30 17:10:34 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Description of problem:
Iptables counters not reflecting packets/bytes for udp on certain
parts of chain.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Create a 14 line input chain, INPUT DROP, FORWARD and OUTPUT ACCEPT
2. Make 1st INPUT chain lo accept, 2nd inside eth accept, 3rd host src
to udp port in the high range, 4th an ip subnet all accept, 5th an ip
host all accept, three lines accept any for ptp interfaces, 7th allow
icmp any, 8th all protocol 50, 9th allow all protocol 51, 10 allow
related established, 11 allow smtp, 12 allow ssh, 13 allow udp dns, 14
REJECT --reject-with icmp-host-prohibited, 15 anti spoof rule for
3. service iptables restart
Actual Results: The third line of the input chain never shows any
hits, yet ethereal does show packets coming in that meet the rule criteria
Expected Results: Packets come in and counters reflect them.
I took the same src ip dst udp rule, and changed it to src ip to any
and get the same result. If I intiate an icmp echo from firewall to
the same ip the counters do refelct the icmp traffic with the srp ip
Inability of firewall counters to reflect traffic should be deemed a
security problem and treated as such.
This problem has gone away, looking at my notes it is likely this is a
pilot error so I will close.