LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables resets counter when rules are added (https://www.linuxquestions.org/questions/linux-networking-3/iptables-resets-counter-when-rules-are-added-881587/)

fmillion 05-19-2011 08:19 AM
iptables resets counter when rules are added
 
Hello,

Whenever I add a rule to iptables, all of the policy counters reset. The counters for each individual rule remain intact, however, the main counter resets.

Here's what I mean:

Code:
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 65M packets, 83G bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 50M packets, 30G bytes)
 pkts bytes target    prot opt in    out    source              destination

[root] ~ # iptables -A INPUT -s 192.168.1.2 -j DROP
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination
    0    0 DROP      all  --  any    any    192.168.1.2          anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination
As you can see, when I added the rule, the counters under "policy" reset to 0. If I were to add another rule, the counters for the 192.168.1.2 rule would remain intact, but the counters for the policy would again be reset.

Code:
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 12M packets, 14G bytes)
 pkts bytes target    prot opt in    out    source              destination
  44  9210 DROP      all  --  any    any    192.168.1.2          anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 8756K packets, 10G bytes)
 pkts bytes target    prot opt in    out    source              destination

[root] ~ # iptables -A INPUT -s 192.168.1.3 -j DROP
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination
  44  9210 DROP      all  --  any    any    192.168.1.2          anywhere
    0    0 DROP      all  --  any    any    192.168.1.3          anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination
Is this expected behavior? Can it be fixed?

Code:
[root] ~ # iptables -V
iptables v1.4.10
[root] ~ # uname -a
Linux nas 2.6.36 #2 SMP Wed Nov 24 02:36:43 CET 2010 i686 i686 i386 GNU/Linux
Thank you!

-FM

andrewthomas 05-19-2011 11:14 AM
I use counters and have never had this problem.

What you could try is to use insert instead of add.

Code:
iptables -I INPUT 1 -s 192.168.1.2 -j DROP

fmillion 05-19-2011 11:51 AM
It appears to occur on insert as well. Anytime the rule chain is modified, in short, it seems to occur.

It's worth noting that adding rules to user-created chains doesn't affect the main chains. I could of course deal with this by using a kluge:

iptables -N INPUT2
iptables -A INPUT -j INPUT2

and working on INPUT2. But that's obviously a silly workaround...

It may be worth noting that this is an LFS system, and I compiled all components from scratch. I was going to check the Netfilter pages to see if this is referenced anywhere, but I believe I did that once before and came up empty-handed...

Further advice, anyone?


All times are GMT -5. The time now is 10:06 PM.