Bug 111207 - Iptables counters not reflecting any packets on rule
Summary: Iptables counters not reflecting any packets on rule
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables   
(Show other bugs)
Version: 1
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-11-30 02:52 UTC by Ted Kaczmarek
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-12-02 12:37:13 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Ted Kaczmarek 2003-11-30 02:52:27 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114 Epiphany/1.0.4

Description of problem:
Iptables counters not reflecting packets/bytes for udp on certain
parts of chain.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Create a 14 line input chain, INPUT DROP, FORWARD and OUTPUT ACCEPT
2. Make 1st INPUT chain lo accept, 2nd inside eth accept, 3rd host src
to udp port in the high range, 4th an ip subnet all accept, 5th an ip
host all accept, three lines accept any for ptp interfaces, 7th allow
icmp any, 8th all  protocol 50, 9th allow all protocol 51, 10 allow
related established, 11 allow smtp, 12 allow ssh, 13 allow udp dns, 14
REJECT --reject-with icmp-host-prohibited, 15 anti spoof rule for
inside subnet.
3. service iptables restart

Actual Results:  The third line of the input chain never shows any
hits, yet ethereal does show packets coming in that meet the rule criteria

Expected Results:  Packets come in and counters reflect them.

Additional info:

I took the same src ip dst udp rule, and changed it to src ip to any
and get the same result. If I intiate an icmp echo from firewall to
the same ip the counters do refelct the icmp traffic with the srp ip
any rule.
Inability of firewall counters to reflect traffic should be deemed a
security problem and treated as such.

Comment 1 Ted Kaczmarek 2003-12-02 12:37:13 UTC
This problem has gone away, looking at my notes it is likely this is a
pilot error so I will close.

Note You need to log in before you can comment on or make changes to this bug.