Question about tcpdump and iptables

JamesJackson · 12-27-2014, 02:49 PM

Hey guys,

I have one question that i would like to understand. I would like to know if something that is blocked by iptables appears in a tcpdump -i interface.

Best Regards and thanks in advance

unSpawn · 12-27-2014, 03:32 PM

Quote:

Originally Posted by JamesJackson

I would like to know if something that is blocked by iptables appears in a tcpdump -i interface.

Yes it does. Note there are easier ways to determine that, like using an iptables "-j LOG" rule right before the one that blocks traffic.

Ser Olmy · 12-27-2014, 04:05 PM

tcpdump captures packets as they enter and exit an interface. iptables can prevent traffic from exiting a system, but cannot prevent other systems from sending packets to an interface.

In other words, iptables rules in the OUTPUT or FORWARD chains can block outbound traffic (so there will be nothing for tcpdump to capture), but cannot affect the capturing of inbound packets.

unSpawn · 12-27-2014, 06:31 PM

Thanks for clarifying.

Quote:

Originally Posted by Ser Olmy

(so there will be nothing for tcpdump to capture),

Note that in those cases "-j LOG" rules will work (and NFLOG target as well should you wish to capture those packets).

JamesJackson · 12-27-2014, 06:58 PM

So i can't block incoming packet's right? the incoming packets when they hit the iptables are processed(waste cpu)? or they only waste bandwidth?

best regards thanks in advance

Ser Olmy · 12-27-2014, 07:32 PM

Incoming packets will always use bandwidth. There's nothing you can do about that, short of blocking them at an upstream router.

To which extent blocked packets will consume CPU resources, depends on the design of your iptables ruleset. The earlier a packet hits a "DROP" rule, the less processing power is required to process that packet.